[HN Gopher] Google have declared Droidscript is malware ___________________________________________________________________ Google have declared Droidscript is malware Author : croes Score : 775 points Date : 2021-04-27 14:11 UTC (8 hours ago) (HTM) web link (groups.google.com) (TXT) w3m dump (groups.google.com) | sequoia wrote: | > ...after taking into consideration the information that you | have provided, we have confirmed that we are unable to reinstate | your publisher account. | | I hate when using euphemism slides into flat out lying like this. | They are not "unable" to reinstate the account, in fact they are | _the only party_ able to reinstate the account, that 's why the | account holder was contacting them instead of someone else. They | are "unwilling" to reinstate the account. | | I know it's all just bullshit but it bothers me anyway. | zaphirplane wrote: | Yes the wording is intended to soften the interaction. They use | "we" to refer to the team you are interacting with emphasis on | bound by the company policy/process | | You may see "we" as the company itself setting its own policy/ | process | shockeychap wrote: | Agree. 100%. | vaer-k wrote: | As a cashier, I am certainly "able to" just hand you the goods | and let you leave without paying, but in reality due to laws, | regulations and good morals I am unable to do that. | onion2k wrote: | It's reasonable to say you're unable to do something because | it's against the law and doing it would make you a criminal. | Equally its fair to say you 'can't' do something that would | go against your morals. | | That is not equivalent to what's happening here. There is no | law preventing Google reinstating the account, and | corporations don't have morals because they're not people. | The only thing preventing them doing it is that the employees | involved choose not to. | sequoia wrote: | As a cashier you are not empowered to make this decision. You | are not "able to" violate store policy this way and keep your | job. If a store owner or manager wishes to give someone a | product for free or issue a full refund, yes they are "able | to" do that. | | The rep in TFA uses "we," referring to Google. Google _is_ | able to reinstate accounts, and The Google Ad Traffic Quality | Team is able to reinstate accounts depending on their | judgement of whether someone is violating policy. If they are | not able to reinstate accounts, can you explain to me why | they 're adjudicating account ban appeals? Do they say "no" | to everyone? | | The key point here is that the agent(s) are responsible for | _interpreting_ the policy. They have decided that Droidscript | violates their policy, and I personally have no opinion about | that. But to imply that it 's "out of [our] hands]" is | dishonest. | | Just say "upon review we've determined that your app violates | our policies so we will not be reinstating your account." | NateEag wrote: | No, you _will_ not do that, and made that decision so long | ago it feels inviolable to you. | | When someone points a gun at a cashier and says "this is a | robbery and I'm gonna shoot you if you move a muscle," the | cashier usually uses their ability to hold still out of | concern for their safety. | | The distinction matters. | pushrax wrote: | Seems like an extremely minor gripe (as you mention, it's all | just bullshit) to be the top comment. | | Though FWIW I'm unable to disagree. | yomansat wrote: | Reminds me of KBB.com who were "unable" to remove my personal | data after they determined I'm not in California. | | They share your phone/email with lots of dealers if you request | a quote and don't read the fine print like I didn't... | joemi wrote: | It's not lying because there is some implicit information in | the "we are unable" statement. What is implied in statements | like this is that they're unable due to their policies. | | If not for implications like this, almost every single use of | "unable" (or "can't", for that matter) ever in a sentence would | be "lying" unless something is against the laws of physics. | tolmasky wrote: | A pet peeve of mine is the deferral and personification of | "policy". Policy is just your opinion that you happen to have | written down in the past. It holds no power over you, you | write the policy! It's not like the US law, which while also | just words on paper, is enforced (and often chosen by) other | people over you. Me deferring to the law (vs. my own opinion) | has meaning because they _can_ be different. The way we | really know this is that we repeatedly see policy broken all | the time -- again, because it 's just a pretend separate | agent, not an actual entity that wields power over you. It | does in fact ultimately just serve to disguise an active | action as a passive one "Oh, I checked the book of rules | (that I wrote) and it said I can't let you do that. Shucks. | Man, that book, its a tough negotiator. Nothing we can do I'm | afraid." I think it is their right to write the rules, but | just own up to it. Say "we aren't doing it because we don't | want to," that's the truth, because if they did want to, they | would, regardless of the "policy". | caconym_ wrote: | You aren't wrong, but (taking the corporate entity in | question as a monolith, which is fair from the outside) | "unwilling" is a much more honest word choice in cases like | this since it clearly communicates that there was a real | practical decision that could feasibly have gone either way. | "Unable" lines up better with things that are infeasible, | e.g. Apple can't recover the data on an encrypted hard drive | without the password or recovery key because it's literally | impossible or would at least require nation-state level | computing resources to have a realistic shot at cracking even | a weak password. | | "Unable" is dishonest because it passes responsibility beyond | the veil of the typical user's ignorance. We're so used to | this sort of language that we're conditioned to allow it even | when we _know_ it's bullshit. It shuts down discussion and | allows its wielder (inevitably a corporation) to avoid | explaining itself. In the developed Western world we have a | big problem with letting corporations do whatever the hell | they want without explaining themselves, so I don't think we | should let them get away with this sort of thing anymore, and | not being satisfied with mealy-mouthed evasion is one of the | first steps down that road. | Closi wrote: | > They are unable due to their policies | | Unable due to their policies, which they wrote and they can | change (and which they often choose not to follow anyway). | | I agree with OP - it's not that Google isn't able to do this, | it's that Google doesn't want to. | StavrosK wrote: | Well, I am unable to give someone your money because you | won't agree. It's not against the laws of physics, but I | still can't do it. Google _can_ do it, they just don 't want | to. | | Hell, they can even change their policies if they want, so | they aren't really "unable". | thaumasiotes wrote: | > Well, I am unable to give someone your money because you | won't agree. It's not against the laws of physics, but I | still can't do it. | | If you tried hard enough, you could probably manage this. | r00fus wrote: | Using a less accurate phrase instead of a more accurate one | because it benefits/shields you is a dark pattern. | | Were the implied statement made explicit, then yes it'd be | accurate. | sequoia wrote: | I disagree. If you buy a product from me with 30 day warranty | and it breaks on day 31 and you contact me, I will not give | you a refund because: a) I haven't agreed to do so b) I'm not | bound to do so c) I don't think it's warranted in this case. | | But I'm not _" unable"_ to issue a refund. | | In another case I may say "hm it's out of warranty but you | know what, it really shouldn't have broken like that and | you're a good customer, so I'll give a refund anyway." I can | do that because I am _able_ to issue a refund. | | As for their policy, they are both the authors and | _interpreters_ of their own policy, so the "my hands are | tied" argument is pure BS. If they are unable to reinstate | accounts, why do they have an appeals process at all? | bipson wrote: | "I can't agree with you" | | "I cannot continue this relationship" | | "I can't kill this guy" | | "I just can't eat meat anymore" | | "I cannot continue like this" | | These are all examples where someone clearly _could_ for | physical reasons, but they _can 't_ for other reasons they | are bound to, _whatever_ these reasons are. | nxpnsv wrote: | Yep they are all lies. I _almost_ can't agree with you | more. | hossyposs wrote: | Yes, but without those reasons these are just ambiguous | unprovable statements. | | Without reasoning we cannot tell if the auxiliary verb is | even correct. | | "I can't eat meat anymore because it's illegal", really | should read "I shouldn't eat meat anymore" as although | it's a bad idea you're still physically capable of eating | meat. | | I think the issue we're talking about is ambiguity, and | this really just emphasises the point. | antonvs wrote: | This all depends on having free will. Otherwise, those | statements could all be literally true. | zepto wrote: | Technically you are right. | | However the key here is exploiting the ambiguity. | | 'We are unable to' is a cowardly way of saying 'we choose | not to', or 'our policy dictates'. | TheRealPomax wrote: | If it's based on a real policy that can be verified by | others, then there is no ambiguity here. "We reviewed | your case, and based on our policy, we cannot reinstate | your account. Because if we did, we'd be the ones | violating our policy, and someone -including you- could | then actually sue us for unfair business practices, | rather than merely complaining about overly restrictive | policies that are blindly enforced through a system that | is hard to penetrate". | | No lying, no ambiguity. They can't reinstate this | account. | | Should they change their policy so that _after_ that | change, they can? Maybe, but good luck getting them to. | zepto wrote: | They can always either change or make an exception to the | policy. | | A policy is just their way of doing things, written down. | | It's not magic. | wizzwizz4 wrote: | That's | https://en.wikipedia.org/wiki/Selective_enforcement, | which can be a problem, especially when contracts | reference the policy. | 7OVO7 wrote: | the first sensible and rational comment I see here (I | hope more comment like this in this post). | IncRnd wrote: | > If it's based on a real policy that can be verified by | others, then there is no ambiguity here. | | In this particular case, the ambiguity is exactly that - | Google didn't say what what real policy was broken or | how. | gralx wrote: | "We refuse to" might be clearest of all. | tshaddox wrote: | And yet no one, including people in this thread who are | claiming that the intent of Google's wording is to | deceive, are actually the slightest bit unclear about | what Google means. | CrendKing wrote: | If Google chose to use the "uncowardly" wording, I'm sure | someone would just post saying Google is arrogant and | cocky bastard. No matter what someone will find some | point to complain. Human nature. | zepto wrote: | That seems like a dismissal that could be applied to any | criticism of any corporation. | | Can you explain what value it adds in this specific case? | matz1 wrote: | What value to add to criticize this specific case? | | Whether they use "unable" or "choose not too" shouldn't | matter. | | Just treat it the same. | javajosh wrote: | "People will criticize no matter what you do" is a great | line. It gets used a lot - not so much here, I've | noticed. Probably because it doesn't address the | particulars of any criticism, and instead provides a | nihilistic view of the world where "real improvement" is | impossible. | | "We're unable to" shifts responsibility to something | vague, unspecific. It's like the "run around" only with | this phrase you've been redirected to /dev/null. I'm glad | the OP said something. | pseudalopex wrote: | Those express moral convictions or imminent psychological | crises. A corporation experiences neither. | fuyu wrote: | If I were to ask you if I could get a refund for an item | out of warranty, what language would you use to refuse me? | I'm struggling to come up with a response that doesn't use | the terms "unable" or "can't" that wouldn't come across as | fairly rude. | akiselev wrote: | "We do not issue refunds for items with expired | warranties" | | Notice that the policy is clearly stated in the rejection | and there is no ambiguity. | random5634 wrote: | You would be lying - and people will call you out on | this, because they will find out that you have in fact | issued refunds for products with expired warranties. | TheDong wrote: | This level of semantics is pointless. | | They could write "We generally do not issue refunds for | items outside of warranty" and they're back to the | statement being just one level more vague, and thus more | true. | | But in reality, both of those mean the same thing. | Writing "We don't issue refunds outside of warranty | periods" has an understood "excluding exceptional | circumstances". Everyone knows it's there. Only people | who are pedantic to the point of uselessness will argue | about this, and you'll find out that the courts generally | have little sympathy for that. | | All human languages so far are inexact. Math is probably | the most exact language we've invented for communicating | ideas, but languages that the general public knows are | all inexact. | | If the correct thing is communicated unambiguously, | that's already a success, even if a pedantic person can | say "I know you mean that you don't 'generally' do it, so | the absolute there is a lie", the fact that the pedant | can point it out means they absolutely understood what | was being conveyed correctly. | sequoia wrote: | > Unfortunately the warranty on your product has expired | and we do not issue refunds for products outside the | warranty period. | | If you pressed me I would admit that yes, in some | exceptional cases we issue refunds for products outside | of warranty but we're not doing so in this case because | [whatever, the product broken due to misuse, etc.]. | | To say I _am not_ issuing a refund or that I _do not_ | issue refunds on out-of-warranty is truthful or | reasonably so. It 's perfectly possible to communicate | that without being rude or claiming to be "unable." | Spivak wrote: | That feeling is specifically because we all know that | depersonalizing and speaking passively 'softens' the | blow. | | "As your product is out of warranty we will not be | issuing a refund." | | Sounds rude, right? Because it draws attention to the | fact that the decision is, at some level, completely | arbitrary. But if you have your left hand write the | policy and your right hand enforce it then you can say. | | "I'm sorry but I'm unable to issue a refund because your | product is out of warranty." | | Makes it sound like that's just how the world works, | doesn't it? And you come away feeling like "aww man they | _can 't_" instead of "they _won 't_, money grubbing | assholes." Customer service is, at its core, about | managing emotions and often delivering bad news in a way | that preserves the company's image. | tannhaeuser wrote: | How about "I'm afraid I can't do that, Dave"? | edoceo wrote: | computer says no | 7952 wrote: | You are not eligible for a refund under our warranty. Let | us know if you have any more questions. | georgeecollins wrote: | Yes, but it is a dodge. Like an apology wrapped in an excuse. | I read this post and I made a mental note to try to never say | I am "unable" when I am unwilling. It's corporate speak that | I have used myself. | dalbasal wrote: | You're right, but I think you're not doing justice to the | OP's complaint. | | You're right that this isn't solely a faceless corporate | thing. People say "I can't" when "I won't" for the same | reasons Google did. We even ask " _can_ you watch my kids? " | Again, the same reasons drive the language. It lets a false | but face-saving implication stand: You will pick up my kids | _if you can_ and if you won 't than I'll assume you couldn't. | | We also "ask" our employees or waitresses to do things, even | though it's technically an order. | | All this is good and fine. Language is _supposed_ to embed | cultural niceties that speak to our values and smooth | relations between people. | | The Orwellian shit comes in when it comes in. These cross | from figures of speech into euphemization and the Orwellian | point is that these things run deep. A bank manager is | literally unaware of where her own prerogatives, | organisational norms, hard corporate policies and regulatory | rules begin and end. They are constantly implying (and | thinking) that whatever is annoying/abusing their customers | is not because of them. Usually it is. | whycombinater wrote: | https://www.youtube.com/watch?v=IRgsfHc8kqU&ab_channel=Harry. | .. | | https://youtu.be/Y1QQSFlm0dI?t=81 | | The audience is laughing because this notion is ridiculous. | dabbledash wrote: | Usually when I say that I can't do something I mean it's not | within my power to do it. | echelon wrote: | Companies should not be gatekeepers of computing. | | We've gone from a world where we can run any software on our | devices, to one where Apple and Google tell us how we can make | money, what we can run, and what speech is permitted. | | It's Orwellian, but with corporate greed instead of nation | state fascism. | [deleted] | barneygale wrote: | Fuck google. | swiley wrote: | I've declared Android is malware then: The whole point of an OS | is to run code for the user but Google has turned it into an | additive adware delivery platform. | darksaints wrote: | Funny, the entire google android ecosystem is malware IMO. No I | don't consent to your data harvesting...at the very least give me | an optout. | throwaway823882 wrote: | So, what would be needed to start a real, honest-to-god | replacement for Android/iOS? | | You'd need a whole governance structure for your project so it | wasn't controlled by a sole entity. There would need to be | assurances that using your project was stable long-term. That | there were adults driving the bus, and that everyone could use | the bus, etc. | | You'd need to provide a roadmap for everything needed to be built | to replace Android, piece by piece. (I guess you could re-use | sections of open source code, but some would need to be rewritten | from scratch?) | | You'd need to contact developers, vendors, service providers, | etc, the whole ecosystem existing around smart phones, and get | them on board with your project. Sell it to them as "no longer | being answerable only to Google and Apple". You'll also have to | provide alternative revenue sources, as they may depend heavily | on Google and Apple services for their revenue. | | And then you need to find people to do the work, and get paid for | it. | | I'm guessing all this would take at least 6-12 months to get off | the ground and some serious capital. | coffeecat wrote: | > In your case, we have detected invalid traffic or activity on | your account (Publisher Code: pub-********) and as a result it | has been disabled. Because of this, the ability to serve and | monetise through all products which depend on AdSense will also | be disabled (for example, AdMob and YouTube). | | > We understand that you may want to know more about the issues | that we've detected. Because this information could be used to | circumvent our proprietary detection system, we're unable to | provide our publishers with information about specific account | activity. | | > Once you've made changes to your site(s), app(s) or channel(s) | to comply with our programme policies and terms of service, you | can reach out to us using our appeal process. Please make sure | that you provide a complete analysis of your traffic or other | reasons that may have led to invalid activity in your appeal. | | I realize that the term Kafka-esque is a bit overused nowadays... | but this sounds exactly like a plot summary of Der Process. | eMGm4D0zgUAVXc7 wrote: | PSA: "Der Process", English "The Trial", is old enough so you | can read it for free on the internet, e.g. on Project | Gutenberg: | | https://gutenberg.org/ebooks/7849 | | It's a really entertaining read. | | And yes, it perfectly matches this situation - right in the | very first sentence already. | danudey wrote: | "We've noticed that you're violating our policies." | | "Which policies?" | | "That's none of your business." | | "How are we violating them?" | | "I'm not going to tell you." | | "What can we do?" | | "Fix the issues, and then appeal." | | "Which issues?" | | "I've said too much already." | mike_d wrote: | I used to work detecting ad fraud. Publishers would do bad | things, call in, and try to get their account rep to get | details. | | Obviously I can't say "of the last 2500 ad clicks zero of | them had any mouse movement over the ad before the click | event" because then the publisher obviously just fixes their | fraud software. | | This isn't specific to Google or even advertising. Every | company has figured out when dealing with abuse and fraud | sharing the minimum amount of information is beneficial to | the health of the ecosystem as a whole. | vaastav wrote: | What about false positives? How did you account for that? | PeterisP wrote: | You make your peace with the fact that you'll have a | certain rate of false positives, where you'll | intentionally lose also some legitimate business in order | to keep most of the "ecosystem" cleaner. Perhaps an | unsatifying answer, but that's it. | | It's not a situation like putting someone in prison where | "beyond all reasonable doubt" is the appropriate mark; | you can refuse to do business based on mere suspicion | that may be mistaken. With fraud detection, you have to | balance the tradeoff between false positives and false | negatives, but you'll certainly have both. | tempestn wrote: | In a case like that, sure. But they don't provide any | information even when they _want_ the publisher to make a | change. Our Adsense account once got suspended because ads | were appearing on pages that contained user-entered search | keywords. Occasionally users would enter keywords that | google considered 'naughty', and didn't want their ads | appearing alongside. If they'd just told us that, we could | have added a screen to not show ads with the list of | keywords they had a problem with. Instead it was an | infuriating, weeks-long process of pulling teeth to get | clues as to what the problem might even be, and then making | a list of every conceivably bad word we could find or | imagine (admittedly that part was a bit fun) before we were | finally able to get re-approved. And presumably we only got | that much leeway because we were a reasonably large | account. | breakingcups wrote: | Seeing it spelled out like this really puts things even more | in perspective. | obviouslynotme wrote: | I am going to save this and print it out with the title "This | is why we don't do business with Google." | jedberg wrote: | Any time there is an article about Google just cutting someone | off for no reason, I like to bring this up: | | 20 years ago my AdSense account was frozen for click fraud -- my | appeal is still pending. Ironically the website it was on was | shut down 19 years ago. | hilbert42 wrote: | What else can you expect from a monopoly that _knows_ its above | the law--as there isn 't any that's either applicable or | enforceable? | | Thus, being above the law Google has no need to concern itself | with bothersome matters such as fairness, justice and _one being | considered innocent before the Law until proven otherwise by due | process._ | | Do we really have to go demonstrate on the streets before our | legislators will act to stop this out-of-control monster? | mlindner wrote: | This piece of software (based on the comments) sounds absolutely | like malware, or at least a malware-enabler. Glad such things | aren't possible on iOS. | blakesterz wrote: | I had to go look to see what this was: | | "DroidScript is an easy to use, portable coding tool which | simplifies mobile App development. It dramatically improves | productivity by speeding up development by as much as 10x | compared with using the standard development tools. It's also an | ideal tool for learning JavaScript, you can literally code | anywhere with DroidScript, it's not cloud based and doesn't | require an internet connection. Unlike other development tools | which take hours to install and eat up gigabytes of disk space, | you can install DroidScript start using it within 30 seconds!" | 1vuio0pswjnm7 wrote: | Sounds too good to be true. Is this open source and available | on F-Droid. If not, it should be. | kbelder wrote: | This is my primary hacking tool for throwing little scripts | together on Android. You can bring up an IDE in chrome on your | PC and interactively execute it on your phone. I hope this gets | fixed. | | I wouldn't really be surprised if EVERY scripting/programming | app in the play store technically violates some play store | rules, though. | yaur wrote: | Do these scripts run as the IDE? If so it seems like they | could be held responsible for any bad behavior engaged in by | their users. | teknopaul wrote: | Let's be clear: for Google's definition of bad. | ehsankia wrote: | > I hope this gets fixed. | | Define "fixed", it was removed from Play Store but anyone can | still install from APK or F-Droid, right? | matoro wrote: | It's closed-source and paid. Not allowed on F-Droid. | [deleted] | narwally wrote: | Well damn, now I want to download it. I've never gotten into | mobile development because getting started always seemed like | a chore, but this sounds like it would be fun to play around | with. | loa_in_ wrote: | Whatever you choose, moving to mobile development is | extremely fun once set up. Usually IDE if your choice | reloads the app on the phone over the cable for you, so the | feedback loop is really nice. | stevewodil wrote: | Try Flutter! Great SDK to get started with mobile | development, and dart is a really nice language | Steltek wrote: | Having tried neither, Flutter sounds like the polar | opposite of both the experience and capability that GP | mentioned. I'm sure it's nice but can it be developed | interactively in a PC browser as described above? | ajross wrote: | Time for one of these again. | | So... having read through their marketing material, this is an | on-device tool that opens up what appears to be most of the | Android application API to at least the user of the device, and | potentially to any Droidscript applications they grab from | other sources, and... maybe to other apps on the device? It's | not clear from a quick read how extensive the runtime control | is. | | So just right out of the gate this is defeating basically the | entirety of the Play Store vetting process. Droidscript itself | may not be engaged in advertising fraud, but it makes | advertising fraud trivial to deploy. (And it needs to be said: | this is the kind of app that would never have been legal at all | on any version of iOS.) | | Add to that that it's a closed source IDE for an open platform, | and my intuition sides with Google here. My guess is that when | details come out it will turn out that at-least-plausibly | harmful Droidscript garbage was being pushed to users and | Google decided to kill it. | kemonocode wrote: | Still seems strange to me they focused so hard on the ad | fraud part of it, unless they had a sudden change of heart | and needed an excuse to get Droidscript out of the Play | Store. They could just as well simply have said that any app | that allows for easy, arbitrary code execution is a security | liability and won't be accepted on the Play Store, which does | include a fair number of root-required tools that have been | removed at some point before. I don't necessarily agree with | it, but that'd be a pretty believeable justification. | | My gut feeling says these devs aren't telling the whole | story. | qwertox wrote: | > Droidscript itself may not be engaged in advertising fraud, | but it makes advertising fraud trivial to deploy. | | I think that this is what has happened. The author of | DroidScript claims that | | > Unfortunately we also have to inform our users that we | could no longer support AdMob for use in their own apps | either, because we can't test it anymore and can't guarantee | that Google won't treat them in the same brutal way. | | So apparently users were able to do stuff with AdMob on | DroidScript's back, and _maybe_ AdMob registered these | fraudulent actions with some Google-ID which was assigned to | DroidScript. | vultour wrote: | > Play Store vetting process | | You mean the one that doesn't exist? | indymike wrote: | Interpreters are problematic as they all are for executing | what amounts to arbitrary, un-vetted and unsigned code. | Weather or not to allow them should be up to the user and it | is. Google is saying here, if you want this, you'll have to | sideload it. | protoman3000 wrote: | I don't get your point. Sideloading apps was always possible | on Android even without a jailbreak. We're not in Apple | world, so it's unclear which Playstore rules got broken here. | lupire wrote: | Side loading is an Android OS feature, not a Play Store | feature. Can you sideload via Play Store apps? F-Droid | isn't in Play Store, but APK Manager is, so I'm confused. | rOOb85 wrote: | > Can you sideload via Play Store apps? | | Yup. Check out aurora store. It's a open source frontend | to the google play store. All apps can be | installed(except of course paid apps. Though if you | bought the app and sign in to the account with aurora you | can) | Jach wrote: | You've always been able to use any of the web browsers in | the store to download and install a random APK from a | website (for example F-Droid), you don't even need to | sideload it. Sideloading apps is mostly just a relevant | concept for developers or for users who have no | alternative to getting custom code on a device. (Edit: | Speaking of ad fraud brought up by the GGP, there are | also many automation apps, at least one (Automate) uses a | plugin flow-chart architecture exposing all sorts of | functionality, with users able to share custom scripts. | Not to mention tons of plain "auto-clicker" apps.) | yjftsjthsd-h wrote: | > Droidscript itself may not be engaged in advertising fraud, | but it makes advertising fraud trivial to deploy. | | No more than being able to build an app on my laptop and push | it over ADB. | | > (And it needs to be said: this is the kind of app that | would never have been legal at all on any version of iOS.) | | It also needs to be said that this is why I don't use Apple | devices. What they inflict on their platform is not an | argument for what should happen elsewhere. | eptcyka wrote: | Chrome is closed source and has developer tools, and has damn | near every permission Android provides. You can app your apps | on it, as long as they are of the web variety. Should we not | ban chrome too? | | If droidscript enables ad fraud, isn't it an issue with how | the android sandboxing model is fundamentally broken? Given | that there are far more people using phones than computers, | and a lot of new smartphone users will have never used a | desktop or laptop computer, droidscript might be their first | venture into programming and/or hacking. Let's not shut it | down. | lupire wrote: | Chrome polices websites with per-site permissions, | controlled by the user. Does DroidScript give users the | same level over control over 3rd party code? | robocat wrote: | Chrome does not provide raw access to the APIs from | JavaScript. Instead everything is sandboxed to the hilt. | | Also the product has a very heavy emphasis on security, the | security team is superb quality and well funded, and Google | know that the team is trustworthy. | overgard wrote: | We're talking about a development tool. Of course it's going | to make any use of the device possible -- that's the entire | point. If the point here is that any development tool | shouldn't be allowed in the store (which I think google and | apple are mostly fine with), that's a pretty sad thing in my | opinion. Maybe google is "right" in enforcing their policies, | but is it helping anyone? | Pxtl wrote: | That said, an open-source version of this on F-droid would be | hella cool, but wrapping every API with Javascript sounds | non-trivial. | yjftsjthsd-h wrote: | > wrapping every API with Javascript sounds non-trivial. | | I am not an expert in JS or the Android API, but I wonder | if you couldn't do it automatically? If types line up | closely enough, I would think that you could get a list of | Android APIs (pull it from AOSP if you have to) and | mechanically translate to a JS API. | nitrogen wrote: | If Android's JVM supports reflection, you could do it | dynamically at runtime, and there are probably already | JS+JVM integrations that would work. | JosephRedfern wrote: | Drozer does (did?) this, except with Python rather than | JS. https://github.com/FSecureLABS/drozer | lupire wrote: | Apache Cordova exposes APIs to JS. | wzdd wrote: | > this is the kind of app that would never have been legal at | all on any version of iOS. | | Pythonista is a complete Python programming environment which | provides access to camera, music, contacts, the network, and | so on, and has been available for iOS since 2016. What | specifically distinguishes Droidscript from Pythonista such | that you think Apple would reject Droidscript? | | https://apps.apple.com/us/app/pythonista-3/id1085978097 | antman wrote: | You can't use it to create a backup script to online backup | your phone data. For good measure iOS also blocks all apps | since they would lose iCloud revenue. | judge2020 wrote: | I'm sure they've already lost a lot of money to Google | Photos's previously-free photo backup. | easton wrote: | Droidscript has support for writing custom intents, which | Pythonista (and Scriptable, a JavaScript version of the | same thing) do not have. A malicious Droidscript | application could access other applications on the device. | | https://symdstools.github.io/Docs/docs/app/SendIntent.htm | munk-a wrote: | I know that this has but a fat chance of being taken | seriously by Google but... Isn't this a good chunk of the | reason why people here on HN and elsewhere have been | arguing for much more granular intent management on | Android like they had in the early days? | | When we get permissions boiled down to one or two popups | we end up with issues providing accurate privileges to | applications (and might be forced to allow WhatsApp to | trawl through our contact list if we ever want to send a | picture in it). | | Granular control shifts the power to the user and allows | programs like this to have more fine tuned privileges. | sdenton4 wrote: | Alas, granularity very quickly turns into users clicking | through piles of crap without thinking about it. With | great power comes great user error. | munk-a wrote: | I disagree - it turns into users clicking through piles | of crap if you've got a crap UX. If the UX is well tuned | to display this information and let the user break out to | greater levels of detail or keep things simple then you | can find a good middle ground. | | Given the amazing strides in usability we've seen in | nearly every other field it baffles me why everyone isn't | onboard with the fact that we can take the learnings from | elsewhere and bring them to the domain of permissions. | | Permissions are almost always hierarchical and grouped | into classifications that make it easier to present the | user with fewer more meaningful choices than asking the | user to approve whether an app can see each contact on | their phone one-by-one. | | I'm honestly a bit cynical (puts on tinfoil hat) that | marketers have held us back here since a lack of granular | permissions aligns quite well with their effort to grab | as much personal data as possible. | sdenton4 wrote: | There's so many crazy gotchas in android permissions, | though... eg, most users won't know that there's a | connection between wifi and geolocation data. That's a | non-obvious connection with a real trade-off: the app | might have some interesting wifi-based functionality, but | in exchange the app authors might harvest your geo data. | | Consider the permissions for the lowly keyboard app... | | A proper understanding of fine-grained permissions | basically requires a working knowledge of how that | permission might be or has in the past been abused. | | And ultimately, fine-grained permissions are probably | answering the wrong questions. The user expresses some | basic trust via the initial app installation; what | permissions ultimately help with is deciding whether or | not to keep trusting the developer. If the app ask for | lots of unexpected stuff, it's probably malware and | should be uninstalled. If the permissions seem | reasonable, the app is probably fine, and the user just | wants to delegate responsibility to the app to do what it | needs to do to get shit done. | | It's really /all/ about trust. If you can't trust a | random app, installation is a high-friction event. Check | the stars, number of users, read a bunch of recent | reviews, carefully go through permissions providing | access for exactly what's needed. If you /can/ trust a | random app, you can just install it, use it to read the | fscking QR code and go on with your day. The need for | trust is why we've ended up with centralized app stores | with stringent content policies, and all the false | positives that come along with it. | amelius wrote: | Are Play Store regulations the only defense against this | kind of attack? If so, then yikes! | JeremyBanks wrote: | Android's fine-grained permissions system isn't a good | fit for something like Droidscript; one script could use | a permission for valid reasons, then another could do | something bad. | veeti wrote: | You can't access any random application just by sending | intents. Available intents must be exposed to other apps | if desired - for example, the camera app has a "show the | camera for taking a photo" intent. | quotemstr wrote: | If you don't want another process sending you an intent, | don't export your entry point. This isn't hard. Security | through obscurity is no security at all. | franga2000 wrote: | I've done some, although not a lot of, native Android | development and I'm not quite sure what's so bad about | sending intents. "Could access other applications" sounds | dangerous, but as far as I know that "access" is limited | to things those apps have explicitly decided to allow | external apps to access. | spinny wrote: | Probably it's not the capability to send custom intents. | Everytime i buy a new device, i look for apps with | unknown or curious names, check the manifest and use an | app like Intent (https://play.google.com/store/apps/detai | ls?id=krow.dev.schem...) to poke around. | easton wrote: | Applications could be exposing intents they assume will | be used by trustworthy applications (i.e. apps in the | Play Store). A user could download a Droidscript (which | as I understand doesn't trigger the unknown sources | policy) which then tries to use intents it shouldn't need | without asking the user for permission. | | If Droidscript required unknown sources to do anything | (not just APK exports), then other apps could check the | unknown sources policy on the device and disable certain | intents (which they may do anyway at the moment, since | that would mean that the applications installed may be | untrustworthy). But this way there isn't any way to tell. | zshift wrote: | > Applications could be exposing intents they assume will | be used by trustworthy applications (i.e. apps in the | Play Store). | | This is a poor assumption to make. Any data coming into | your application should be assumed to be malicious. This | would be the same as a server just accepting any data | made to its API calls without any validation. | tremon wrote: | _trustworthy applications (i.e. apps in the Play Store)_ | | Please don't equate trust with any app store like that. | Firstly, many incidents have shown that this blanket | trust isn't warranted, and second, the final arbiter of | trust is the _owner of the device_ , not the owner of the | app store. | grawprog wrote: | Yes...Droidscript allowed one to use the tiny computer in | their pocket similarly to the way one could use the large | computer on the desk. One could script small apps on their | tiny computer and they could access most of the same api as | java apps. It was pretty awesome. | passivate wrote: | > My guess is that when details come out it will turn out | that at-least-plausibly harmful Droidscript garbage was being | pushed to users and Google decided to kill it. | | Yes, I'm sure Google will carefully release details that | paint them as the good guy. Certainly, we don't want to be | needlessly unfair to them, but there is zero reason to give | them free trust them at this point. | BoorishBears wrote: | Google will not release details because Google doesn't care | if they look like the good guy (otherwise they wouldn't do | stuff like this in the first place!) | | Best case is the right person sees this social media | outcry, silently gets it fixed and Google moves onto | destroying the next developer. | dtx1 wrote: | I think your thoughts on this are plausible, if not likely. | However, the usual complete lack of communication by google | is the actual problem. Perhaps droidscripts could mitigate | googles concerns, if they had the decency to explain them. | sofixa wrote: | But if they do, a malicious actor can use that information | to circumvent their restrictions, and its their walled | garden, so they have very little incentive to tell everyone | _exactly_ what they don 't like. | marcinzm wrote: | And we have very little incentive to not complain loudly | and publicly about their practices. | Jordrok wrote: | I know this is standard practice for most big companies | moderating lots of content, but it has always seemed like | such an insane policy to me. | | Imagine if this were applied to actual laws enforced by | the police. "You're under arrest but we won't tell you | what law you've broken, because then other criminals | might use that knowledge of the law to avoid being | arrested. And by the way, a secret court has sentenced | you to life imprisonment and all of your appeals have | been denied." | Dylan16807 wrote: | Okay, but this developer isn't "everyone", and there | seems to be no reason not to explain in this case. | sofixa wrote: | Unless the developer decides to share on Twitter or HN or | w/e, and now malicious actors know as well. | Dylan16807 wrote: | I meant that this information is not a problem to share, | and that sharing information in one case does not imply | sharing it in all cases. | ben509 wrote: | That's the claim made by Google and many other big | corporations. It's plausible enough, but I haven't seen | any hard evidence that it's true. | | Suppose it is true that these companies can't reveal | their decision making because there's so much to be | gained by bad actors that game these highly centralized | systems. | | Then it seems like a larger number of smaller firms could | be more transparent and still achieve the same effective | level of security. | ajross wrote: | > However, the usual complete lack of communication by | google is the actual problem. | | Uh... Seems like the _actual_ problem (given that scenario) | is that adware is being pushed to users, not whether or not | Google defended its ban in public. Complaints about | customer service (from everyone, not just Google) are a | dime a dozen, actual user security is clearly more | important, right? | | Your answer presupposes a frame where Droidscript is | innocent. What if it's not, and it knowingly nodded to a | community of junkware being pushed to its users (again, I | have no evidence!). In that case you'd want it banned | without "decency", right? | wtetzner wrote: | > Seems like the actual problem (given that scenario) is | that adware is being pushed to users | | _Google_ itself is adware. | dtx1 wrote: | Banning it first is fine. banning it first, then not | giving a reply to the concerns they have is not. Even if | they have reasonable believe or proof that droidscript is | indeed malware, it looks like at least a chunk of their | userbase uses it for legitimate usecases and the devs, | who likely invested at least a few hundred hours of work | in it, deserve at least some communication. | szopa wrote: | I used to work at Google, and a friend reached out to me | for help - his company's app was in a similar situation, | with similar communication from Google. This was a good | friend from high school, so I pressed the issue using | internal channels. The person handling it on Google's | side was very assertive about them violating a policy, | and after some back and forth I received a _vague hint_ | about what was the supposed violation. I passed the hint | along, and after some digging, lo and behold, it turned | out one of their people had lifted someone else's images | without permission, violating copyright (kudos to Google | for figuring it out). My friend apologized profusely to | me, to the support rep, his boss, and let the culprit go. | They purged the app's assets, changed their processes, | and eventually the app was reinstated. | | Now, this was a special situation. I had a personal | relationship with the developer, and I was happy to vouch | for their honesty. Yet it still turned out Google had | been right all along. Now, it's a shame Google couldn't | let them know what was the issue. However, it's a safe | assumption that the vast majority of people Google | support deals with _are_ spammers. And there 's a lot of | them. If Google gave a detailed explanation to all of | them it would mean a ton of additional work - which would | create an unsustainable situation at this scale. | Dylan16807 wrote: | > Yet it still turned out Google had been right all | along. | | No they weren't. It was not right to terminate the entire | app because someone used an image wrong. | munificent wrote: | Caveat: I work at Google but know nothing about this area | and my opinion here is entirely personal. | | _> which would create an unsustainable situation at this | scale._ | | Financial sustainability may have something to do with | it, but I suspect the larger issue is that providing too | much detail essentially trains malware authors to route | around the company's defenses. | | Imagine the Play Store as a castle which has both good | townsfolk coming and going as well as being perpetually | under siege by a malicious lord. Sometimes, the castle's | defenses inadvertently prevent a townsperson from getting | to market to sell their onions. When the townsperson is | like, "Hey, I can't get in to sell my onions." it's | helpful for the castle defenses to be like, "Well, we | have the portcullis raised from 9am-11am on Tuesdays and | the gatekeepers listen for your accent to decide if | you're a local or an enemy." | | But that's, like, exactly _not_ what you want to say if | the "townsperson" you're talking to is actually an enemy | spy taking notes. | stickfigure wrote: | That doesn't seem to be a problem in this case? Telling | spammers they are blocked due to copyrighted images | trains them not to upload copyrighted images. Win-win. | spinny wrote: | picking up copyrighted images is another indicator that | user X is a spammer, providing that info would eliminate | the signal | zmmmmm wrote: | Well, this is the essence of discrimination and we | wouldn't tolerate it for a whole range of indicators | (you're black, gay, if a particular race, etc etc). My | guess is the real reason they won't tell people is that | they would end up in court pretty quick. | salawat wrote: | Say it with me now: | | >"Rough consensus, and running code. We are not the | Protocol Police." | | Half the problems we have nowadays is because we have | manufacturers playing "the Program Police", which leads | inevitably to the point you just made. | | You are now, like it or not, adversarial to any User | looking to do anything you find unconformant with your | bottom line. You cannot solve these issues by | whitelisting, just like you can't solve the problem of | crime by whitelisting, and hiding the conformance suite. | If you can't know the test, you can spend infinite cycles | changing the wrong thing to comply with it, and I do not | find that to be a tenable state-of-affairs to push on | users, even if intentionally aimed at the malicious ones. | This is the same problem we have in meatspace with our | overly byzantine legal system; but nobody accepts that | secret laws are a good idea because if everyone can read | the law, it's a national security risk. At least no one | without some serious conflicts of interest. | | Do you really think that your company is going to nail | down a good solution to a problem that society at large | can't even handle reasonably? I mean, think about it. | This really is a subset of the general question of how to | keep everybody doing something productive. I don't even | need an answer. I just want to encourage people to think. | fencepost wrote: | _I suspect the larger issue is that providing too much | detail essentially trains malware authors to route around | the company 's defenses._ | | Perhaps so, but it seems not unreasonable to have SOME | ability to work with the creator of an app that's been on | the store for years with a substantial number of ongoing | users and (speculating) a non troublesome patten of | installs and purchases. | | Nobody believes that Google is technically out | financially unable to do this, which leaves the other | option - at a corporate level not giving a shit enough to | even bother trying. | | Google will often do the right thing whether by plan or | by happenstance, but it pays to be aware that when it | does the wrong thing there is no recourse and will be no | correction. | shkkmo wrote: | I'm sorry, but the "security" excuse is BS. You don't | have to tell users what automated tool flagged them or | how their violation was discovered. | | You do have an ethical obligation to inform them of what | policy was violated with sufficient detail that a good | actor has a reasonable chance of complying with your | policy. | | I think that this should be required of any company that | to provides publicly available goods/services, not just | Google. This doesn't just help with monopolies, but also | makes it harder to hide racism and censorship behind | opaque policies. | veeti wrote: | > It's a safe assumption that the vast majority of people | police deal with are criminals. And there's a lot of | them. If they gave a detailed explanation of why they are | under arrest it would mean a ton of additional work - | which would create an unsustainable situation at this | scale. | | But it's all good, Google is a private company(tm) and | can do whatever they want(r). | jldl805 wrote: | Actually Google is a public corporation, not a private | company. | Aissen wrote: | > Now, it's a shame Google couldn't let them know what | was the issue. However, it's a safe assumption that the | vast majority of people Google support deals with are | spammers. And there's a lot of them. If Google gave a | detailed explanation to all of them it would mean a ton | of additional work - which would create an unsustainable | situation at this scale. | | I don't think that's reasonable. What if most are | spammers ? Better let a few spammers in than treat | someone unjustly. Why would it become unsustainable ? | I've seen this argument repeated ad nauseam, but have yet | to see proper proof. | | In this particular example, a copyright violation was | detected in a image, so an automated response "someone | else's image was used without permission, violating | copyright" seems entirely plausible. | troyvit wrote: | Google has the scale to do this, but they also have a | large enough monopoly where they don't have to, so they | won't. It's not that it's unsustainable, it's that it is | entirely sustainable to continue doing things this way. | JeromeLon wrote: | Can you elaborate? I can see how Google can scale this | automatically. But I don't see how Google can terminate, | say, one million apps a day, if each termination entitles | the spammer a one hour conversation with a technical | representative. | BoorishBears wrote: | Why does it need to cost them an hour conversation?! | | Look at the tone-deaf example this employee just shared. | All they had to do was say _in the same email that they | used to ban someone_ "you have copyrighted images". | | The moment they find an infraction they could literally | take a screenshot, say "the problem is X" and email it, | which would incur the 5 seconds it takes to add a | screenshot and say the problem you already identifies, | but make a _world_ of difference for developers. | | This nonsense about "it's to stop spammers" isn't about | the cost, the laughably bad logic Google uses is that by | identifying what rules you broke, spammers will get | better at not doing stuff Google catches... | | As if the spammers don't already know what they did to | get caught! | burnished wrote: | Make the person but the hour, say $100. It's a very | different value proposition for some one saving their | business vs some one trying to game a system. | splistud wrote: | If proper support is unsustainable due to the model, it | is the model that has to change. | baq wrote: | i disagree about unsustainability. there are real people | on the other side of the business among these bots and | spammers and if you ignore them because they might be | bots and spammers, they'll leave and tell other real | people that google can't be reasoned with because they | assume everyone is a bot and a spammer. | | you see exactly this happening all the time here on HN. | the sentiment for the past few years is abysmal. google | is actively blowing up their power user/developer | customer base. looks like a metric somewhere got | optimized a bit too well. | stjohnswarts wrote: | I think so as well. As a duopoly Google and Apple owe it | to their customers and 3rd party developers to know why | something gets banned. Being in that position requires | special consideration to hold that much power. Government | has to do it, why don't huge corps? | kentonv wrote: | > However, it's a safe assumption that the vast majority | of people Google support deals with are spammers. If | Google gave a detailed explanation to all of them it | would mean a ton of additional work - which would create | an unsustainable situation at this scale. | | You describe a situation where Google was going to put a | whole company out of business -- probably ending your | friend's job, as well as that of many other honest people | -- rather than give them the information they needed to | fix the problem. And you think this is reasonable, | because it would be "a ton of additional work" for | Google? We just have to accept people losing their | livelihoods as collateral damage in the war on spammers? | | Imagine if we applied the same logic to the government. | If they think you committed a crime, they just toss you | in jail and don't have to tell you why. They could catch | a lot more criminals if they didn't have to waste time | prosecuting them! | | No, we need a Habeas Corpus for tech companies. If you | are banned, you have to be told why. Make it a law. I | don't care if it results in more spam. | richardfey wrote: | I liked all of your comment, but this passage in | particular: | | > No, we need a Habeas Corpus for tech companies. If you | are banned, you have to be told why. Make it a law. I | don't care if it results in more spam. | | The whole ordeal seems like an attempt to educate app | developers by whipping, where the victims have to guess | what they did wrong. | cannabis_sam wrote: | "The opaque email responses will continue until morale | improves." | specialist wrote: | Yes, and: Efficient markets require fair & impartial | courts, tort, transparency, accountability. Etc. | pyrale wrote: | > In that case you'd want it banned without "decency", | right? | | Due process isn't really a sound concept if it's only for | innocent people. | ddtaylor wrote: | > but it makes advertising fraud trivial to deploy. | | Compared to what? If someone wants to run a random APK that | has some kind of ad fraud in it, they very easily can even if | Droidscript doesn't exist. | mdoms wrote: | > So... having read through their marketing material, this is | an on-device tool that opens up what appears to be most of | the Android application API to at least the user of the | device, and potentially to any Droidscript applications they | grab from other sources, and... maybe to other apps on the | device? It's not clear from a quick read how extensive the | runtime control is. | | When did we collectively decide that programmable computers | were a Bad Thing? | NateEag wrote: | Some of us realised that end users don't want to program | and that they can be better protected from themselves by | only allowing execution of arbitrary code when they | explicitly say they want it. | mdoms wrote: | Presumably those end users aren't downloading | Droidscript. | antman wrote: | Vetting process is just excuse for rent seeking, a better | client ui for us to approve permissions would cost nothing. | exyi wrote: | Should the Chrome browser be also banned from Android since | it is trivial to deploy ad fraud campaign on the web? | bosswipe wrote: | Whatever "open platform" might mean Android is becoming less | and less of one as Google has made huge efforts to move more | and more core operating system functionality into closed | source Play Services and continues to remove developer access | to many APIs in the name of security. In fact what you're | advocating for in this comment is to make the platform less | open. | | > (And it needs to be said: this is the kind of app that | would never have been legal at all on any version of iOS.) | | Exactly, iOS is not an open platform and Google has decided | they want to be more like iOS. | throwawayffffas wrote: | > Add to that that it's a closed source IDE for an open | platform, and my intuition sides with Google here. | | If I can't ship my closed source IDE on the platform is the | platform really open? | | > My guess is that when details come out it will turn out | that at-least-plausibly harmful Droidscript garbage was being | pushed to users and Google decided to kill it. | | Of course they will say it was because x, y, and z were done | to protect the users. But is it really for the users' benefit | or just about control over their walled garden? | numpad0 wrote: | Sounds like effective lack of means of production available | inside the platform is fundamental to sustainable | platform... | ajross wrote: | > If I can't ship my closed source IDE on the platform is | the platform really open? | | For clarity: the Play Store is not an open platform. The | Android API being exposed by Droidscript very much is. | throwawayffffas wrote: | Fair, I misinterpreted what you were saying. | simias wrote: | Was it used to publish malware? Given that it's a general | purpose scripting tool I can imagine that some people would | abuse it and use it as some sort of backdoor to get clueless | users to run malware without having to publish it on the app | store. | | _If_ that 's the argument I can sort of see Google's point | here. The Play Store is supposed to be curated and the | application should follow certain guidelines. This tool as I | understand it effectively provides a loophole that lets people | run non-curated code without jailbreak. I know that Apple | removed apps for similar reasons in the past. | | TFA is a bit misleading, the whole "AD FRAUD" angle is frankly | irrelevant, it's just that since Google considers that the app | violates the guidelines it can't be eligible for the ad | program. | franga2000 wrote: | > This tool as I understand it effectively provides a | loophole that lets people run non-curated code without | jailbreak. | | Installing non-curated apps has always been supported on | Android - no jailbreaking required. Just get an APK either | straight from the developer or through any number of | alternative app stores, open it, click the "yes, I'm sure" | option in the security popup and you've got yourself an app. | MadWombat wrote: | One of the specific features of DroidScript is that it is a | remote IDE. That is, when you start DroidScript on your phone | it will serve the IDE UI via HTTP and you can then connect it | by using your phones IP address (DroidScript conveniently gives | you a URL to use). Maybe that is the reason for Google's | decision. | | Also, according to DroidScript itself, Google accused them of | ad fraud, so maybe there is something there. | progfix wrote: | How convenient for Google. | Arjuna144 wrote: | Outch, they have done this sort of thing since quite a while now. | A good friend of mine had a very big website (among top 200 Alexa | raiting in ~2010) with adrevenue around 10k per month. Google | just terminated the website without supplying additional much | helpful information. Just an automatic generated email saying: | you are done.... (that page was https://kriyayoga.com, which | since has been closed down and made available for free download, | only the tomb-site remains) | cube00 wrote: | Search the phrase "I made sure to include all the information | available to me" and the tail of woe is incredible, all 79,000 | hits of it. | fctorial wrote: | So they created an app that works as a programming environment, | one of their users abused the google play services and they are | getting the flak for it. | rjmunro wrote: | Could Droidscript's remote IDE features have a security hole that | is allowing people to remote install malware into Droidscript | users? | | Google would see this malware coming from Droidscript; | Droidscript would not see anything in their code that could be | causing it. | qyi wrote: | We live in a world where people unironically put comments on top | of every file in their projects (but only the ones they can | easily insert a meaningless string into) like "you cannot | disclose this file blah blah blah" and call themselves "grown | ups". What's this Android nonsense, can't it just run programs | like a normal computer? At the very least if it purports to not | be a general purpose computer, then there should be no excuse for | security vulnerabilities. | unexaminedlife wrote: | I like most people don't like the idea of a few large groups | controlling entire ecosystems. Especially in technology if these | companies have a complete stranglehold on the entire system it's | not good. | | HOWEVER, I really don't think that's the case. I mean look at | Hacker News! They built up their brand and product through grass | roots efforts. Large ecosystems take notice and recognize, I | think, reputation in smaller ecosystems. | | When a group gets banned like this and feel it's their only hope, | I'm skeptical. | | My guess is either these guys are playing dumb or they don't | understand why the best software engineers in the world think | they're doing malicious stuff. Either way they don't appear to be | ready for the "big time". | blacklight wrote: | This is the same story that HN readers have read hundreds of | times over the past couple of years, just with different | subjects. | | Independent developer/small organization gets their app/YouTube | channel/Google account shut down overnight because of false | positives triggered by their system. | | It takes weeks and insistence with bots to just get to speak to a | human. | | When you get to speak to a human, they usually respond with | template responses and refuse to provide further information. | | Rinse and repeat the same kafkanian process again and again. | | In all honesty, what the hell is everyone waiting to get off | Google? Gmail accounts, app stores, YouTube, ad networks... | Alternatives exist nowadays for all of the products developed by | a shapeless and faceless corporation that listens to nobody. | | I wish a long and successful journey for the Droidscript guys on | F-Droid or any alternative store. Time for Google to understand | that without the content uploaded by us (users, creators and | developers) they are nothing but a useless empty box. | mleonhard wrote: | Google is 1/2 of the mobile duopoly. No app developer can avoid | Google Play Store (for publishing their apps) and Firebase | Cloud Messaging (for sending push notifications to their apps). | auiya wrote: | The rest of industry have declared most Google products | spyware... so I guess it all evens out? | 7OVO7 wrote: | the problem of a free market in the management of the important | hubs of a sector (as is Google for most of the services of its | type on the internet) is that they (the big names in the sector, | those who reach the top with the free market), are which then | once they arrive they can do as they prefer. | | the problem of a non-free market, in this matter, would be a | government monopoly, with the same problem: they can do as they | like. | | the alternative to this currently is not easily applicable, and | does not give the current advantages of the "big" (whether they | are companies or governments the result does not change; really, | it is the same). | | if you think that Russia and its coming private Internet, or the | American NSA security system, or even that I know ... Amazon and | eBay, or Facebook and its network (not just the Social Network | site, but all its additional services, and where it gets to | manage what it manages), or even Chinese censorships on the | Internet, are different from each other (to give random | examples), think again. | | then of course comes troll-boss Trump (they ban him from Twitter | and other similar sites) and everyone thinks (confused) that this | is not real wath I am writing in this comment. | | we are beyond the conspiracy, here the conspiracy comes to life | by itself, randomly, without anyone creating it; now in its own | life. | | who is at the top decides for who is below the top, obviously the | developers of Droidscript appeal, they do not like this decision, | but they are like everyone else they are subject and subject to | the "big". | | if you don't want big problems from the "bigs", don't support | them, don't use them. | warent wrote: | On one side I'm being bombarded with news about Google's | anticompetitive greedy practices and disregard for customers. On | the other side I'm being bombarded with news about Apple's | anticompetitive greedy practices and disregard for customers. | | Damned if you do, damned if you don't. Which to choose? About | ready to just burn all of my electronics and live in a damn | cabin. | vntok wrote: | Well, is it? The linked post is obviously biased, so I'd rather | wait for more information instead of getting my pitchfork out | immediately. | marcinzm wrote: | Since Google lacks any form of human feedback or customer | service the only approach is to bring out pitchforks as soon as | possible. Otherwise no clarity will ever be provided. | croes wrote: | "The Register asked Google to explain why DroidScript was | removed and whether it's possible the policy violation | allegations might have been made in error. We've not heard | back." | | https://www.theregister.com/2021/04/27/droidscript_google_ba... | lopis wrote: | It could even be. Maybe Google found out they were hijacked in | some way and the app contained malware. The main issue if that | Google refuses to let publishers know the reason for bans and | take-downs. | Jaygles wrote: | It seems to me that the nature of the app is whats causing the | issue. | | From one of the emails they got from Google: | | > We don't allow apps with any code that could put a user, a | user's data, or a device at risk. | | Maybe they think the ability to execute arbitrary code is too | powerful of a feature? | pjerem wrote: | > Maybe they think the ability to execute arbitrary code is | too powerful of a feature? | | Yes, probably. | | But maybe they can act and speak like humans, maybe even make | a phone call before just deleting without notice a well | established 7 years old app with more than 100k users, | cancelling all revenue from user's subscriptions, and all | that while sending bot-like mails just saying that they can't | give more information about why they are killing an | organisation. | | I think this is really serious. A respected business is going | to be shut down, real people are going to be fired and Google | isn't even able to answer to an email asking why it's | happening ? | richardwhiuk wrote: | Maybe the business should have read the policy guidelines. | ivoras wrote: | Historically, that has been a major reason for banning apps | for both Apple and Google. | | IIRC Apple even went to extremes and banned browsers which do | not use their own JavaScript interpreter. | CogitoCogito wrote: | That could be the issue. It could also be something else | entirely. It's a bit unfortunate that they are left guessing | as to what the problem is. | Jiocus wrote: | "Hold my beer," - mobile Google Chrome. | | Trying to see it from Googles point of view though. Perhaps | there is a useful distinction to be made between end-user | apps, and apps and functionality targeting developers. There | is developer tooling to be found outside the Play store. Far | away from the general audience and the risk of causing them | security issues. | | I can't say I agree with it, and Droidscript could well be a | godsend to somebody making good use of it. | | There should be an avalanche of truly malicious apps and | related dev malpractice they could root out from their | platform before this. | CivBase wrote: | Part of me is amazed that so many apps continue to rely | exclusively on the Google Play Store for distribution and | monetization. With Google's track record, it's practically | negligent to build a business which is completely dependent on | their proprietary services. | | That said, there's also probably no money in Android apps it | isn't on the Google Play Store. I doubt most Android users know | how to install apps from anywhere else, much less search other | app catalogs. So I guess I really shouldn't be amazed at all. | darkwater wrote: | And, ironically enough, they publish the announcement on Google | Groups. | yjftsjthsd-h wrote: | Literally the second post is somebody suggesting that they | really should move the forum ASAP. | ur-whale wrote: | Here's a prediction: | | Within 20 years, you will need the equivalent of a concealed | carry permit to run Linux on a computer connected to the | internet. | melff wrote: | nah, you don't need a permit for that... you'd just need a | computer without a boot chain of trust, too bad those things | exist only in museums and landfills nowadays, have fun digging | through trash to find your slow-ass 5 year old 18-core RISC-V | 256G RAM SoC for witch there is an exploit to break it's chain | of trust. Oh and make sure nobody notices, breaking the chain | of trust is obviously illegal, and for good reason you could | try to break the DRM of a Neuralink-Entertainment-Stream, we | can't have that. | canada_dry wrote: | The _Streisand effect_ at work. I 'd never heard of Droidscript | before, but now I want it. Thanks Google. | cortexio wrote: | i hope one day someone hacks google and puts all their servers | offline and puts a text saying: this service is not inline with | our guidelines. Even if it's for 1 day, just to give them a small | taste of their own non-sense. If you buy something, it should be | yours to control. If i buy a plate, you dont get to decide what | food i eat. The phone space is currently completely controlled by | 2 giants... it's sad. | unexaminedlife wrote: | Here's a thought. One of the most frustrating things to me about | this kind of thing is that Google (or any other major tech | company) could just ignore me and just tell me "you're malware". | I get it. Technology people cost a lot of money, so I would | propose that companies who the public depend on MUST offer | consulting out-of-band at an hourly (or daily?) rate. This way | the real issues are squashed. | | Now I know that I can get the guidance I need to fix the problems | my product is having. Also this helps reassure the public about | the big companies intentions in that these FUD stories will | become instantly irrelevant. You want your stuff fixed? Pay for | the guidance. You don't want to spend the time fixing the issues? | So be it. But don't expect anyone to listen to your problems. | | On top of this, if it's a small open-source project, create a way | to streamline funding for the guidance. If a lot of people depend | on your project they'll almost certainly chip in a small sum per | person for the guidance you need. | thih9 wrote: | Wouldn't that encourage the big company to find more issues in | apps, and then tell devs to buy consulting hours to figure out | how to solve them? | unexaminedlife wrote: | Well, if that started happening I'm sure people would start | posting stories of how disingenuous the company's practices | had become. If they flagged some software as malware they | should already know exactly what the reasons are. So we'll | call that maybe a 1-2 hr session to get up to speed on | exactly what the issues are. How someone goes about fixing it | is another story. | | I'd say by default those sessions should be posted online for | public viewing just so everyone can learn from the mistakes | of the original team, or to make a judgment of how | disingenuous Google is being about the issues. At the request | of the project requesting those services they could make | those sessions private. | | Also this could lead to real innovation in the tooling for | example Google consultants could write unit tests that would | need to pass in order to be allowed on the Google App store. | Those unit tests would then, potentially become public so | everyone could just download the unit tests from Github in | order to confirm their software meets requirements. | | The other thing is Google would almost certainly see this as | a cost center. Billing people at-cost (or slightly above | that) for consulting services is way more labor intensive and | tbh annoying for companies with a trillion dollar + market | cap. | jedimastert wrote: | Except that ties access to these companies depend on to people | who have the money to do so, which creates a huge imbalance | unexaminedlife wrote: | We're not talking a huge amount of money. I'm saying let | these companies recoup the balance of the cost. For a small | company it might seem unreasonable for a Google to bill them | $100/hr for consulting services. Then again if 1,000,000 | people are asking for those services at 8 hrs a pop. You do | the math. | drummer wrote: | Building and relying on Google and then complain when they pull | the rug from under you. My fellow devs, when will you learn? | Avoid Apple and Google. | ddtaylor wrote: | Google bans thing. Ban gets attention on HN and a few other | social media sites. Google unbans thing. Repeat. | pudmaidai wrote: | You wish they unbanned things. I think content blocking will | still suck in future Chrome versions. | kjrose wrote: | The second step only happens for a small select group of | "things." There are myriad apps, people and organizations that | Google has blindly banned with no recourse or reasonable appeal | that we will never hear about. | | The bigger point is the system is clearly broken, but how in | the world can you fix it? | ddtaylor wrote: | The problem is really just a matter of scale and the | unwillingness of Google to sacrifice any of it's margins. | | There are plenty of other companies that have many more | humans in the chain where problems like these eventually get | resolved once proper appeals are conducted or someone | physically walks into a business and participates in whatever | verification method is required. | | The idea that Google is somehow special is laughable. | Compared to some other industries that are directly consumer | facing the number of apps and developers is actually small. | | Also, they're not doing it without pay. They're taking a 30% | cut from an industry approaching a trillion dollars in annual | revenue. Again, the idea they can't solve this problem if | they were willing to spend the money is absurd. | kjrose wrote: | Well, when it's to purchase Google Adwords, there really | isn't any competition on that front. | | As well, Google Play pretty much monopolizes the Android | market for the general public. | Aachen wrote: | Not just Google, also Microsoft and others (see youtube-dl). | | The question is how we can break the cycle in favor of hackers | rather than in favor of big corporations. | cecja wrote: | The Microsoft Community is the worst of the bunch most of the | answers are from certified whatevers and are the same 3-4 | boilerplate responses AND there are techsupport/remotedesktop | scams running wild on the platform. Infuriating. | ericol wrote: | TL;DR: They are being accused of ad fraud, without any evidence | provided, and they are asked to reply with an analysis of why | they think their traffic ?? is legit (when they have no idea what | is it that Google considered "not legitimate"). | | The biggest issue here I don't think is the malware tag, but the | ad fraud accusation. | | Even thought as somebody pointed out the page linked can be | biased, based only on what they state and the emails from Google, | this is another case of David Against (automated) Goliath. | | From my point of view this is just another drop in the pound of | what is already being built as a case against Google (and also | Apple) for monopoly. | | P.S.: I've used Droidscript in the past, and I do think it's too | powerful an app that can be abused. But that happens to a lot of | things in life, right? | frombody wrote: | the ad-fraud accusation is my biggest concern as well. | | they provide no information or clues leaving the author to | guess. | | the author guesses that somehow someone extracted their | identifiers from the apk. | | google comes back and says more clearly that it's something to | do with how the ads are positioned, essentially accusing them | of trying to trick people to accidentally click. | | this information should have been provided before the appeal, | and google gains literally nothing from hiding this information | from the author. | | the malware claims have more validity, but the way they handled | the ad-fraud claim is inexcusable. | shadowgovt wrote: | It is extremely possible that from Google's point of view, an | inability to give such an analysis is itself justification to | remove the app from the Play Store. | | If Droidscript is flexible enough to allow end-users to create | an ad fraud engine, it's too flexible for the store. Play Store | is relatively consistent in its position that a tool that | bootstraps policy violations is itself a policy violation. | | But it would be great if Google could offer a concrete | reproduction case, and from a developer-service standpoint it | completely sucks that they don't. | cwkoss wrote: | Is there a service where I can host a raspi on my network and | let people send it instructions about which ads should be | clicked on and it gradually earns crypto over time? | | I'd love to make some money while fucking with ad networks... | :) | shadowgovt wrote: | I'm not sure, but I'm going to note that click-fraud | already exists and Google (as well as other ad networks) | have countermeasures to determine whether your raspi is | likely "clicking for fun" and chargeback the advertisers | for the non-human clicks. | | Whether those countermeasures can be reliably defeated is | left as an exercise for the raspi owner. ;) | timnetworks wrote: | Chrome.exe has been breaking the internet for years. There is no | bigger malware producer than Google itself. | qwertox wrote: | Whatever their reasons may be, they may be legitimate. | | But using this sentence is simply not OK: | | > Because this information could be used to circumvent our | proprietary detection system, we're unable to provide our | publishers with information about specific account activity. | | The developer/publisher must be given a chance to correct the | issues. This is simply not fair. | | I'm pretty sure Google can do better than to rely on security by | obscurity. | | --- | | > Unfortunately we also have to inform our users that we could no | longer support AdMob for use in their own apps either, because we | can't test it anymore and can't guarantee that Google won't treat | them in the same brutal way. | | Couldn't it be possible that one of those users was using AdMob | in a fraudulent way, and that this was then linked to | Droidscript? I don't know how Droidscript works, how it creates | those apps, but it could be possible that Droidscript then was | responsible for the fraudulent use a user did. | cblconfederate wrote: | > DroidScript has a user base of over 100,000 people world wide | | a user base built on such foundations is no base at all. | unfortunately , only open platforms can be considered a solid | enough base for building any kind of community | thereddaikon wrote: | Google is pretty infamous for the over reliance on automation for | customer service. But ultimately the reason why they persist is | because they can afford get away with it. | teamspirit wrote: | I think one day there will eventually be a class action lawsuit | filed against one of these companies for their opaque customer | response process. | | How did it get this way? How did we allow it and for so long? I | really don't know. Here we are, the community involved yet | somehow this method of customer [non]interaction grew out from | underneath us. | | *spelling edit: fire -> for | Taylor_OD wrote: | What are you going to do? Stop using Google products? Good | luck. | lainga wrote: | I could... take my travellers' cheques to a competing | resort... | tomjen3 wrote: | I run firefox and use DDG. | heywherelogingo wrote: | Yes. Android and gmail are my last two to get rid of. I was | wanting to play with mail in a box, but this morning had an | alert on my phone demanding my birthdate within 14 days. | So, I'll be expediting google out of my life within the | next 14 days. | e3bc54b2 wrote: | If you don't use YouTube, I bow to you good netizen. | | But in all honesty, it is very very hard to avoid Google. | Android, Gamil, YouTube and Search are big four left on | my list. | Igelau wrote: | I'm using YouTube less and less. The ads have become | intolerable, and I had my own bad experience with their | copyright violation detection. That's the easiest one for | me to abandon. | dannyw wrote: | Android is so bad for privacy. | LegitShady wrote: | Is AOSP bad for privacy as well? I've been migrating all | my services and devices away from Google (I've owned | nothing but pixels and nexus phones for a long time) but | I was hoping flashing to lineage would work rather than | buying a new phone. | cecja wrote: | Yes, AOSP is still calling home. | danShumway wrote: | Base Android with unmodified settings is terrible for | privacy. If you're willing to put in the work to install | LineageOS and move off of Google apps and jail/delete | them, it can become a superior option over iOS, if for no | other reason that that you can set up competent | adblocking and take advantage of Open Source replacements | for apps like Youtube that don't transmit as much data. | | This is part of why it's tricky to make phone | recommendations to privacy-conscious people. iOS is the | clear winner on privacy for nontechnical people, and the | clear loser on privacy for highly technical people. But a | lot of people fall in the middle of that spectrum -- | semi-technical -- and then it becomes complicated to | figure out what they should do. | pjerem wrote: | Done. | | And it was way easier than i tought. | passivate wrote: | Google's business model is where they automate everything, and | you keep running on the treadmill. From a business standpoint, | its fabulous, and I'd probably applaud them if they weren't so | awful. | seanhunter wrote: | It's sort of interesting how long this has worked, and as well | as automated customer service the same or similar case can be | made for automated moderation. | | You can often hear people on here excusing this by saying "if | they didn't do this, their business model wouldn't scale". Well | yes. If you can do the automation and it works then you have a | business at scale. If not, perhaps your business shouldn't be a | scale business. As is, the negative externalities of this | imperfect automation are significant. | patrakov wrote: | So community lawyers and other interested parties should make | sure that their business model doesn't scale this way. | salawat wrote: | _Especially_ those parties. | NiceWayToDoIT wrote: | It seems this is not a rare case, I know that my friend lost | great portion of his investment in the app at the point when | number of users on his app was enough to start getting braking | even, Google just decided that some of his users are deliberately | clicking on ads. | | I guess that is way when you deal with company with too much | power, there is no way to appall, complain, or do anything that | will save your business. So, I guess, and from few stories I read | if they find out that you have type of business that is | interesting for them, they can simply suffocate your business by | standard mafia means, like in the movies first they send a | "negotiator", then they beat you a bit, and if you do not comply | they "burn" your place down. | | So, company that had slogan "Don't be evil!" what a joke... | segfaultbuserr wrote: | The keyword here is _had_. Google wasn 't that evil when it | hasn't acquired today's power yet. | pdkl95 wrote: | The War On General Purpose Computing[1][2] is escalating. The war | has moved past trivial fights over copyright/"DRM", and is now | directly targeting programming environments. | | [1] https://boingboing.net/2012/01/10/lockdown.html | | [2] https://boingboing.net/2012/08/23/civilwar.html | | edit: fixed link - thanks for the bug report | overgard wrote: | This seems so self-defeating by these companies. All this will | do is push people to learn to develop on the web (arguably | where they already are learning), while completely bypassing | any built-in API's and stores. Sure, there's stuff you can't | access without native code, but at a certain point why would | anyone want to risk making their primary codebase dependent on | one of these stores? | | When FOSS tablets and phones become competitive, I'm really | interested in getting one. Maybe even before they're | realistically competitive. | salawat wrote: | It won't become so without your help, join the fight and make | a stand. Every user lost by proprietary platforms tilts the | scales more in FLOSS/H's favor. Scale makes all the | difference. | e3bc54b2 wrote: | Web is being crippled too. Google is clenching its iron grip | from both sides (search and browser), while Apple leaves it | crippled on its own devices for obvious reasons. | oblio wrote: | You've posted the same link twice. | TrianguloY wrote: | I don't like the tone of the comment (feels like a tantrum) but | unfortunately this happens more often that people think. | | What I find interesting is the little information they give you | after a ban. Apparently if they explained the reasons of the | banning then other people could use that information to find | flaws and 'game the system'. | | This means that, if you deliberately made something against the | rules and were banned, you can then 'explain your mistake and the | measures to not do it again'. But if you don't do anything | unusual and simply break one of the crazy rules they have by | mistake, it's game over. | | P.S. If you have a blog and practically all of your visits come | from a single source (perhaps a link in something popular) don't | EVER use admob on that blog. You will be banned. | arp242 wrote: | You're not wrong that it's a bit of a tantrum, but after | spending years working on a app and then being banned out of | the blue without any recourse or even information, I think the | author is entitled to a bit of a tantrum. | | It's true that giving all details might lead to people gaming | the system, but c'mon, a _bit_ of details wouldn 't be so bad. | | This isn't some sort of fairly inconsequential website like HN | or Reddit we're talking about, but literally people's | livelihoods. This is like the cops walking in to your house to | arrest you for theft, but they won't tell you what you stole, | where you stole it, or how they know it was you. You now go to | prison, have a nice day. | | Perhaps they're right 95% of the cases. But in 5% of cases | they're wrong, and bye-bye livelihood and many years of work | down the drain. | kseifried wrote: | Assigned CVE-2021-1000040 for this issue because a minimum | DroidScript can no longer get updates out to users. They may also | be doing bad things, as claimed by Google, but either way the | ecosystem will start to get stale and security issues can't be | easily fixed right now. | SeriousM wrote: | Why not just publish it on f-droid? | thisisjustmine wrote: | They have a subscription model and ads which are not allowed on | FDroid. FDroid also requires the software to be opensource. | ZiiS wrote: | FDroid do allow subscriptions and ads. They label them | 'AntiFeatures' which is not as bad as it sounds; many people | will still happy install the App. However FDroid to strictly | insist all code is free and open source; this dose mean you | are rolling your own Ad and Subscription libraries. | Aachen wrote: | Correct. Newpipe on f-droid has the anti-feature of | promoting a nonfree network service (YouTube) but that | doesn't mean people don't install it or that it's banned | from f-droid. | AlstZam wrote: | This is true for the official FDroid repository but | independent repo can be created [0]. This helps manage | independent signing as well. | | [0] : https://www.f-droid.org/en/docs/Setup_an_F- | Droid_App_Repo/ | antman wrote: | At this point Google is the malware. Bait and switch, I miss the | era that I could freely customize with termux, now waiting for a | decent linux phone. | ben509 wrote: | The writing style of the piece looks like a political mailer. | | > The Google Play system has declared DroidScript is Malware and | accused us of committing Ad Fraud! Needless to say, we are | extremely upset and totally flabbergasted at this shocking | allegation! | | That kind of hyperbole sets off all my BS detectors. | | As I go through the back and forth, DroidScript speculates this: | | > Our main guess was that one of our users was experimenting with | our AdMob ID after extracting it from our APK... | | What I don't see is that they ever went back to the policies to | check if that was legit. If it wasn't and you tell Google, | "right, that was totally a feature but we've removed it," then, | you just indicated that you deliberately implemented a feature | that violated the terms of your agreement. | | > How can they expect people to build organisations or businesses | supported by advertising revenue, when they might be subject to | this type of summary execution at any moment! | | I agree that Google's communication with their customers is | awful, but this is not a new problem: _you have to read your | contract_. And that means get a lawyer to go over it and explain | to you what it really means and not what you'd like it to mean. | indymike wrote: | Perhaps the problem here is the monetization model (ads) is a | mismatch? Perhaps try a subscription or just let users buy the | app? | yjftsjthsd-h wrote: | > What I don't see is that they ever went back to the policies | to check if that was legit. If it wasn't and you tell Google, | "right, that was totally a feature but we've removed it," then, | you just indicated that you deliberately implemented a feature | that violated the terms of your agreement. | | A user reverse-engineering your app to pull out its AdMob ID is | neither a feature nor something the app dev can reasonably be | faulted for. | fmajid wrote: | It happens a lot more often than people think. By some | estimates more than half of all ad clicks are bot-driven | fraud. | Jfuvjrnfjxje wrote: | > The Google Play system has declared DroidScript is Malware | and accused us of committing Ad Fraud! Needless to say, we are | extremely upset and totally flabbergasted at this shocking | allegation! | | How is this a hyperbole? The first sentence is literally and | completely true. And the developer seems legitimately upset and | shocked. | | It's not hard to imagine truely being extremely upset that | something you probably spent hundreds of hours on got shut down | for inscrutable reasons outside your control. | jccalhoun wrote: | I am not a programmer so I have no idea of the validity of | anything they wrote. However, the style absolutely grates on | me. It sounds like PR. and the random bold sentences seems like | a calculated PR move. | veeti wrote: | Are you serious? It takes a minute to disassemble literally any | APK with AdMob SDK and abuse their ID's. These values are not | secrets. If a billion dollar company like Google can't detect | simple fraudulent activity like this, how are their ads | supposed to be worth a single dollar? | mschuster91 wrote: | > how are their ads supposed to be worth a single dollar? | | Hard truth: a _lot_ of internet ads is fraud. With paper, | radio and TV, any ad buyer can cheaply verify that their ad | spending ends up where it should by buying a paper at a | random train station or listening to the airwaves. | | On the Internet, it's worse than the Wild West, with fraud | and deception on every part of the chain. | DaiPlusPlus wrote: | Which is ironic because in the 1990s web-advertising was | sold to marketeers' as _the best_ form of advertising | because every view is logged and tracked: unlike a magazine | ad you can know exactly how many people saw it and | interacted with it (...right before middle-school kids | realized they could make free money by clicking ads they | put up on their geocities webpages) | | When Facebook launched their ad platform people were saying | there would be even less fraud than open web advertising | because FB (at the time...) was doing a good job of keeping | bots out of Facebook - but I understand right now that | Facebook advertising is the worst form of advertising you | can spend money on... | | * https://news.ycombinator.com/item?id=25623858 | | * https://news.ycombinator.com/item?id=26193544 | stjohnswarts wrote: | If someone came along and pulled the rug out from under your | ability to earn a paycheck you might be a bit excited and | hyperbolic as well especially if all they told you was "you | hurt our feelings" but wouldn't tell you why. The situation is | ludicrous. | [deleted] | DarkmSparks wrote: | simple solution for anyone considering funding their apps with | advertising. | | Don't. | TheCoelacanth wrote: | Simple solution for anyone considering to build a business on | top of the Google ecosystem. Don't. | flyagaric wrote: | If you think you have a business by relying on Google. You will | learn it the hard way. | | You can't have business with Google when all the rules of | engagement are set by them. | exikyut wrote: | I can't find it now, but I read a story that's been repeatedly | posted here about someone who got an idea, dropped everything, | built an MVP, showed it to potential customers _who loved it_... | and was told "I definitely need this, but I wouldn't pay for | it." And then the person realized that the customer was right | (the worst kind of right), and that the idea was both awesome and | unmonetizable. | | In the same vein... question. | | Google is absolutely terrible at customer support and handling | these kinds of issues. I once read in a comment posted here that | they apparently don't even regard issues as valid signal unless | 10,000 users are affected. (I've personally always instinctively | shied away from app/site feedback buttons myself, and now I know | why.) I'm guessing it's because con$i$tent ridiculou$ adverti$ing | revenue ("we can do no wrong") has caused the death/deselection | of normal customer support feedback loops. | | Sooo... could a startup, or startups, fill the absolutely massive | vacuum that is being created here? | | For every story that trends on HN, how many more false negatives | of people being bankrupted are there that never see the light of | day? :( | | I can only think that this number is probably remarkably high | given that _stories have to trend on social media and /or popular | websites, for multiple days, before a connection is made and the | problem can be fixed._ | | Once again, the more I look at this, the more I get the | impression that this is a huge hole that could be filled to great | benefit. | | But thinking about it, I don't think it would be monetisable: | | - It would ultimately be a company taking people's money to | leverage a few private contacts. It doesn't take much squinting | to see this as extortion and gatekeeping, which happens | everywhere but would legally be very interesting to defend | (especially against a company the size of Google). :/ | | - The contact issues only exist because of process and | organizational failure, so even if private contacts were | successfully established, the signal/noise ratio was ideal, and | this company did perfect triage, it wouldn't take long for | manglement to hear of the situation and decree that no Google | employee were allowed to interact with the company professionally | | - The whole thing would have to operate under the radar to | operate at all... and maybe such operations exist and are | successful, we've just never heard of them. Problem. | | Running the whole thing as a volunteer operation maybe sounds | like it could work though. | | And if issues don't get fixed until >10,000 people "notice" maybe | such an operation could have noticeable presence before being | acknowledged. | | Just thinking out loud. What think? | richardwhiuk wrote: | The signal to noise ratio would still be terrible. The company | would have no mechanism to work out who was actually being | honest. | | For every story that trends on HN, 9 times out of 10, it turns | out Apple/Google/Microsoft/Facebook were right, and the company | was doing something dodgy. | Causality1 wrote: | _Our main guess was that one of our users was experimenting with | our AdMob ID after extracting it from our APK_ | | Is this mean anybody with a grudge has an easy way of destroying | any developer's revenue stream? | tjpnz wrote: | The only thing approaching malware I've experienced on Android | was delivered via Google's own ad network. Given what little | happened after reporting said malware one can only assume that | they apply a very different set of rules to app developers. | j_barbossa wrote: | As still so many people don't get it: | | 1) Don't make your business dependent on Google 2) Don't make any | of your data dependent on Google (don't use Gmail, Workspace etc) | 3) Don't make applications you build dependent on Google | | Hint: If you can't migrate away from Google within a working day, | you're doing it wrong. | JasonFruit wrote: | And 'Google' here is shorthand for any entity from which you | have no reasonable expectation of customer support which is | both human and humane -- so don't make your business dependent | on Google, Facebook, PayPal, or any similar entity. | sjbr wrote: | the title has to be 'Google has ...' | dewert wrote: | Probably a British English speaker. Not 100% sure on the rules, | but see, for example, | https://english.stackexchange.com/questions/1338/are-collect... | victornomad wrote: | This is very upsetting. Hopefully they could fix it soon! | | I worked on a very similar Open Source tool for really long time | called PHONK https://phonk.app (priorly called Protocoder) | | It started around the same time as Droidscript but PHONK has been | always a hobby project rather than a business. | | I can imagine how painful might be for the Droidscript devs if | that's a part of their monthly income... | | This type of actions by big actors should keep us awake to | protect the web with tech, companies and user diversity. | eplanit wrote: | It's seriously time to re-embrace the idea of ownership and | control of our devices, and reject Android and iOS altogether. | Developing for those platforms has become worse and more | restrictive over the years, and this kind of crap is now just | everyday news. | | How good are Pinephones[1]? Are there better alternatives? | | [1] https://www.pine64.org/pinephone/ | takeda wrote: | When Mozilla was trying to get their OS for mobile phones, I | think they stepped in too early. Right now it's probably a | better time for an alternative. | ehsankia wrote: | > re-embrace the idea of ownership and control of our devices | | Overall I would agree, but I don't see how this specific | example has anything to do with that sentiment. | | You still have control of your device and can install | DroidScript from APK or F-Droid, it was only removed from Play | Store, Google's own store. | | Obviously this is awful for DroidScript themselves, but you as | a user didn't really lose any ownership over your phone due to | this specific issue. | loa_in_ wrote: | Remember that you can still use Android without Google apps | entirely. Depending on how popular your device is, you can | retain close to 100% of functionality. You can also use banking | apps etc. but methods are in constant flux and it's an ongoing | battle | phh wrote: | Maybe don't scratch Android too fast. | | Android is opensource, and is technically really great. There | is a great opensource community of people that are very capable | in this area, and supports already the vast majority of devices | in the world. | | You only need to get rid of Google. Which many custom Android | provide. Personally my smartphone is a Pixel 5 (IMO best | smartphone currently available that fit in a hand), running | Android, without any Google application. I'm very happy with | it, and from what I discussed with Pinephone users, it's | lightyears more usable than what exists for Pinephone. | johnbrodie wrote: | More and more functionality is being shoved into Google Play | Services. I have a deGoogled phone running Lineage, but even | with that, no Google Play Services, and some custom settings | (like changing the captive portal URLs), there's still | network traffic to Google. Add in relative unknowns like AGPS | and the situation gets even worse. I also have no push | notifications for most apps, have to keep a static | notification so Android doesn't kill apps like my email | client, AND still run micro-G for basic functionality to | work. Oh, and thanks to SafetyNet there are still apps that | refuse to run, even with systemless "undetectable" root. | | Android itself might be really good, but it's pretty obvious | that deGoogled phones have a strong chance of being | functionally useless in the future. | phh wrote: | The ratio of available apps of Android without gapps over | pinephone is still more than 1000 fold, despite SafetyNet | or other reliances on Google. | | For push notifications, microg does fill the gap, so I'm | not sure what you're talking about. UnifiedPush is coming | to fill this gap without violating Google's ToC, with self- | hosting, and fully FLOSS. Is anything like that coming to | PinePhone or Librem? | | The Google phone-home "features" can be removed, and this | is exactly the point of this thread. Android is opensource, | you can control this platform however you want, especially | removing all connections to Google services. | | I'm guessing what you're saying is that you installed some | custom Android ROM, and expected it to remove any Google | tracker, but that's a wrong assumption, most Android ROMs | don't target deGoogling. | | Even my AOSP GSI, with FLOSS variant doesn't target | removing Google phone-home features. Why? I don't approve | of any data collection on Google's DNS, AGPS, or generate | 204, which means it is illegal for them to use it to track | me without my consent, and I believe that they are not | total outlaws. Running a DNS, AGPS, or even generate 204 | reliable infrastructure is hard. | Spakman wrote: | > I have a deGoogled phone running Lineage, but even with | that, no Google Play Services, and some custom settings | (like changing the captive portal URLs), there's still | network traffic to Google. | | I'm running LineageOS without Play Services too and didn't | about know this! | | Do you have any reference materials (I guess getting busy | with Wireshark and the source is my next step)? I found | this Reddit thread[1] talking about a connectivity check | but am keen to start tracking down any others. | | https://www.reddit.com/r/LineageOS/comments/5qnfxf/why_line | a... | Aperocky wrote: | Maybe it's just time to see phones as what they are - a phone. | | I don't really care what software is ran in my truck, as long | as it works (And that's why I'll not buy a Tesla). It's a | phone, use it to call text and guide and browse some internet. | That's it. | dcow wrote: | What's wrong with Tesla software? | Aperocky wrote: | The ratio of amount and significance of action it takes | over my trust in it is too high. | dcow wrote: | You don't need to use any of the driver assistance | features. It's not doing any of that if you don't | explicitly engage it and sometimes even requires enabling | settings toggles. | harrierpigeon wrote: | One thing that comes to mind is that the wiper | functionality has to be accessed from the center console | touchscreen, and generally when you need it on you need it | right then. | dcow wrote: | Not on the Model 3,Y, it doesn't. You press the button on | the left widget behind the steering wheel (the lever/knob | you use for your turn signal). | goda90 wrote: | Phones are the only pocket computers that see quick advances | in performance and battery use. For someone who wants a | pocket sized computer, it's just most convenient to combine | it with your phone. | Aperocky wrote: | But they are horrible as production machines, at least | until when our brain is no longer using our body as | interfaces. | | For pure pocket sized computing, why not use RPi? It's both | much cheaper, more customizable, and it runs Linux. With | enough tweaking you can make it run completely headless, | plug-and-run mini computer that you can ssh over local | network. | | I think the biggest problem with the combining idea is that | computing in general is about productivity, and phone is | about phone stuff. | dividedbyzero wrote: | Phones are kinda too small, but iPads (which are, in | essence, oversized phones) are just fine for production | machines if you don't equate productivity with | programming. | | With a Pencil and Procreate, it's really hard to beat for | drawing and illustrating. With an external keyboard and | some kind of stand writing is a joy, I like it better | than on a proper computer because of a ton of little | things that help me keep focused and because the device | is so portable and doesn't have the laptop form factor | with a permanently attached keyboard, with bluetooth | periphery it's more like a wireless battery-powered | external screen. | | Light to medium spreadsheet work is also totally doable, | and I've build dozens of slide decks in various apps, | with hand-drawn illustrations. | | I use a Pi as a mini server, but doing creative work on | one, I can't imagine that to be as nice and slick as on | the iPad. Last time I tried the PiOS desktop, it | definitely wasn't. | Aperocky wrote: | You're absolutely right about drawing and other 2D | renders. I may have overlooked this because I have not a | bone for arts in my body and prefers the terminal to UI. | megous wrote: | It's not much cheaper if you want battery, LCD with CTP, | and perhaps a LTE modem for non-wifi mobile internet. | Also it would have a horrible form factor. | | Pinephone is basically a smarthpone shaped SBC, with much | better software situation than rpi, and you can use it as | such. I ssh into mine all the time. You can connect | anything you like to it via USB hub, incl. the full | keyboard and mouse. You can use bluetooth keyboard, and | just do normal computing you'd do on your dekstop, etc. | | Except for small display and lower performance there's no | differnece. | marcus_holmes wrote: | I uninstalled all social media from my phone. I feel so much | better. | | I use it for chat apps, phone calls (usually via chat apps), | and occasionally wandering around Imgur when it would be | socially awkward to not be on my phone. | | The rest of the time I've come to appreciate being present in | the moment. | | So yeah, I'm looking at the new generation of Linux phones | with interest. If I can run the chat apps in a browser OK, | then I think it might work for me. | ficklepickle wrote: | In what kind of situations is it socially awkward to not be | on your phone? Genuine question, I'm not great with social | stuff. | ShroudedNight wrote: | When loitering, I've found that phones are a strong | signal that distinguishes those uninterested in engaging | with the strangers around them, from those that are. When | trying to convey one's innocuousness to the wardens of a | domain, it can be helpful to use your phone. | | Related, if in a group, everybody else disengages to be | engrossed in their phone, it can be helpful to do the | same if one does not want to demonstrate a vulnerable | dependency on the generosity of their attention. | | A lot of awkwardness comes down to self-perception of | vulnerability. | marcus_holmes wrote: | this, mainly. | | Though if everyone else is on their phone, and the crowd | is large enough, I find it fascinating to people-watch. | Vrondi wrote: | A paperback book or something can give the same social | signal. :) | marcus_holmes wrote: | I'm a middle-aged white guy. In situations where everyone | else is 20 years younger and dressed in half the clothing | I am, I come across as a total perv if I look at anything | except my phone. Or at least that's how it plays out in | my head. | | I do find it useful to sometimes be absorbed in my phone | and not aware of what's going on around me. Or at least | to have that impression. | kaibee wrote: | > I don't really care what software is ran in my truck, as | long as it works | | I mean, exactly what recourse do you think you'll have once | it stops working..? | | You'll sell your not working truck (to who?) and buy a new | one (that is also soft-locked because it was the only way to | stay competitive?)? | | Right to Repair: https://www.youtube.com/watch?v=nvVafMi0l68 | Aperocky wrote: | That's a different topic though. | | Also, the software vended by traditional car companies are | usually bound with hardware and readily replaceable if a | reboot can't solve the problem. | RHSeeger wrote: | But for many people, maybe even most people, they're not just | "a phone". They're a multi-purpose tool that comes in the | form factor of a mobile phone. Camera, chat, web browser, | games, social media, music player, access to nearly the sum | total of human knowledge... Treating such as tool as merely | "a phone" doesn't make any sense. | SV_BubbleTime wrote: | It's still a phone actually and colloquially even if I use | the Phone App infrequently. | | The point isn't what you call it. OP's point was and I | agree that you don't need to have full control over every | device that can possibly run code. Just let it be a device | that does its thing. | | It's the difference in people that want calm technology vs | "power users". I want the device to exist waiting on my | input and even though I have deep knowledge of its internal | systems and processes, I don't care, I just want it to | work, solve a problem for me, and I'll put it away. | | Go ahead and root your phone to do whatever actively | complex thing you need... it's a tool for me and I | personally want the walled garden to prevent it from | possibly not working when I need it. | RHSeeger wrote: | > The point isn't what you call it. OP's point was and I | agree that you don't need to have full control over every | device that can possibly run code. Just let it be a | device that does its thing. | | That's not how I read the op, who said "It's a phone, use | it to call text and guide and browse some internet. | That's it". The tone in that reads not like "you don't | need to..." it reads like "you should not...", which I | disagree with. I rarely use my phone to make calls. I use | it as a multi-function tool of tremendous capability. If | I wanted a simple flip phone, I would have bought one of | those, instead. | Aperocky wrote: | I can't phrase myself better than you do! | 3np wrote: | > you don't need to have full control over every device | that can possibly run code | | I argue that if the device sends data to third parties | over radio/internet and/or the manufacturer can remotely | push updates that changes the devices behavior then users | must have full control. | | Something like that should become law. | | Then manufacturers can keep devices locked down as long | as they stay out of the surveillance game. | fmajid wrote: | > Maybe it's just time to see phones as what they are - a | phone. | | Maybe it's time to call phones what they really are: pocket | computers with a legacy voice call functionality that is | increasingly irrelevant to anyone who isn't a Boomer. | | Now, regarding the locked-down of both iOS and Android | ecosystems, I can see both points of view. The majority of | ordinary users need to be protected from increasingly | sophisticated malware stealing their online banking | credentials or other mischief, but power users also need to | do whatever they want to do once they've signed a disclaimer | badsectoracula wrote: | > with a legacy voice call functionality that is | increasingly irrelevant to anyone who isn't a Boomer. | | Sadly this requires mobile Internet prices to _at least_ | match voice call prices, which is not the case in many | (developed or not) parts of the world. | Aperocky wrote: | > pocket computers with a legacy voice call functionality | | I don't necessarily agree with this, because this is the | direction that everything is moving towards. | | It is so much cheaper to embed an SOC into everything that | needs some form of automated/assisted control. Not | necessarily a good thing, but that's what is going to | happen regardless. | | Your fridge can become a pocket computer with refrigerating | capability - but you'll still see it as a fridge. It's | really about how you see and utilize these items. | danans wrote: | > Your fridge can become a pocket computer with | refrigerating capability - | | Only if you have huge pockets ;) | necovek wrote: | Or a tiny fridge! :) | danans wrote: | Indeed! Half seriously, we just need thermoelectric | generators to get efficient enough, and then our phones | can be powered directly from our body heat, and also | refrigerate us on a hot day! | | https://en.wikipedia.org/wiki/Thermoelectric_generator | 2OEH8eoCRo0 wrote: | I envy your chill. We all do need to take a deep breath at | times and realize it's truly a first world problem. | | With that said your truck analogy isn't perfect. Your truck | will last as long as you keep it going. That can be 20 years | or more. It would be more like having a truck that the doors | do not lock anymore after 2 years and you cannot fix that you | must buy a new truck if you don't want thieves. | karlicoss wrote: | Also I think the analogy doesn't quite work because a truck | is a truck. You can do some customization, you might (or | not be) able to change some parts, or being a mechanical | engineer you might even be able to repair it or enhance. | But it will always fundamentally be a truck. | | The difference from phones is that a phone is a computer, | and as such it has computer's endless potential. For some | it can be just a phone, sure. But many people want to use | it as an extension of their mind, as knowledge management | tool, as a creative tool, etc. The frustrating bit is that | is many aspects phones are much nicer and better suited for | such tasks than regular desktop computers (think | portability, having cameras & sensors etc), yet because of | these walled gardens it's much harder for a knowledgeable | person to leverage this potential. | Vrondi wrote: | You are displaying your ignorance of trucks. For decades | now, all automobiles and trucks have included proprietary | computer systems. Some are easy to hack and alter. Some | are more expensive/challenging, but people do it. An EV | is missing _most_ of the mechanical parts that defined a | "truck" for a century, and is basically only four tiny | motors, brakes, a computer system, and a battery with | wheels. The sole characteristics of "truck" that still | remain which Henry Ford would recognize are "has wheels" | and "can carry cargo". | Dylan16807 wrote: | They _have_ computers but you can 't use them to compute | in any effective way. You can tune it, great, just like | if it didn't have a computer. | 2OEH8eoCRo0 wrote: | Exactly. You have almost complete control over it which | is exactly why trucks can last so long IRL. If your radio | stops working you don't need to buy a new truck. | blimeymate wrote: | I don't have or need software in a truck, statist apologist. | detaro wrote: | But that's not what vendors are selling, and what most people | are buying. | goda90 wrote: | I haven't tried any Linux phone, but a couple of other | alternatives include F(x)tex [0] and Librem 5[1] | | [0]https://www.fxtec.com/ [1]https://puri.sm/products/librem-5/ | d--b wrote: | I bought one last week | twobitshifter wrote: | I'd be hesitant to jump on another platform unless it has a way | of locking down app permissions similar to iOS. I think it's | been shown that the app review process is a farce, but the | permissions system like the new app tracking feature is great | for privacy and security. | | If this droid script equivalent were going to start reading my | emails watching me through the camera, reading my clipboard, or | tracking my real world location, I'd definitely want something | that alerted me to that before it happened. | swiley wrote: | There is a way to do that: don't run untrusted code outside | the browser. | joshuaissac wrote: | > If this droid script equivalent were going to start reading | my emails watching me through the camera, reading my | clipboard, or tracking my real world location, I'd definitely | want something that alerted me to that before it happened. | | Android has supported permissions since at least Froyo | (2010), and these permission requests were made on- | demand/runtime rather than pre-install with Marshmallow | (2015). So Droidscript would be unable to do any of those | things (except reading the clipboard) until you explicitly | granted those permissions to the app. | okaram wrote: | It doesn't much matter how good they are, since you can't buy | them (their products are usually out of stock for months at a | time; right now, they are in pre-sales etc). | | I like what they are doing, but it is definitely not mainstream | products. | x86ARMsRace wrote: | > Small numbers (1-3) of stuck or dead pixels are a | characteristic of LCD screens. These are normal and should not | be considered a defect. | | Their product line does not really inspire much faith. I can't | say I've bought a device in the past 10 years which has dead | pixels on the display. To me, this _is_ a defect, given that I | can pick up a device, overwrite Windows with Linux, and have a | device without dead pixels. | [deleted] | Jiejeing wrote: | This warning is present, albeit in much smaller print, on all | devices with a screen that you buy. The unofficial apple | policy appears to be "repair starting from 1 dead pixel on | iphone, 3 on ipad". Samsung has a policy which depends on the | screen type: 1 for normal LCD, 3 for Super AMOLED, 4 for | WVGA-resolution LCD. Every single manufacturer has this kind | of clause, you cannot fault pine64 for this. | | Though of course as it is a much smaller venture, you can't | hound a sales rep until they accept to repair it nonetheless. | dmm wrote: | They're selling at near-cost for developers. The pinephone is | not ready for end users. | goda90 wrote: | Check out their philosophy[0]. They aren't exactly a company | targeting end user consumers. They want to put affordable | hardware in the hands of a community of tinkerers. | | [0]https://www.pine64.org/philosophy/ | x86ARMsRace wrote: | Well, as both an end-user _and_ tinkerer, I 'd rather not | have to own two devices when I can go out and get one that | will cover all my bases. | 3np wrote: | Sounds like Purism Librem5 is more for you then? | x86ARMsRace wrote: | Possibly. Their laptop devices look excellent. On the | list when my current device gives up the ghost. | hutzlibu wrote: | Good luck with that. See how long that last, if the | current trend continues. Soon you might have to aquire a | certified developerversion to unlock your device to | tinker with it. | x86ARMsRace wrote: | Regardless, Pine does not look like a product I'd put my | faith in. Perhaps someone else, sure, but Pine inspires | no trust from me. | blihp wrote: | That warning is designed to scare away 'regular' consumers, | so it's doing its job. If the prospect of a couple dead | pixels scares someone, they are not the target customer for a | PinePhone. It is _absolutely not_ a device for the average | consumer. | | How do you know if you're the target customer for a | PinePhone? You read the 'dead pixels' warning and think 'I | don't care... I want a Linux phone'. People who would find a | couple dead pixels unacceptable would also likely find the | features and functionality of it unacceptable as well. For | months it couldn't take pictures or (reliably) make phone | calls/text.[1] Now we can take poor quality pictures and have | marginal phone functionality and think life is good! It's not | that we're nuts (ok, maybe a little ;-) but rather that we | accept this a long term process/effort and not something that | will be even remotely perfect anytime soon. | | [1] Hell, mine will never be able to reliably work with most | USB-C chargers due to a hardware bug in the first iteration. | Didn't care... I want a Linux phone! (and I'm too cheap to | replace the board, I'll wait for a v2 to fix that and other | issues) | kllrnohj wrote: | The platform doesn't give a flying fuck about Droidscript. It's | play store that does. | | So just get serious about using alternate stores, which the | platform fully lets you do (f-droid, amazon app store, | whatever). | shadowgovt wrote: | Most users would prefer a mostly safe experience and gladly | give up the option to run arbitrary code on their device for | that experience (including arbitrary code they've written). In | an all-out "this or that" between allowing IDEs on the Play | Store in general and giving the average Play Store user what | they want, the IDEs would lose. | | But it does suck if there is no legitimate way to release an | IDE targeted to run on a mobile device via the Google Play | Store. | pydry wrote: | Most users don't really understand what they're giving up | when they give up the option to run arbitrary code | | As with privacy (Facebook privacy settings, cookie boxes), | it's easy to bamboozle the general public with complexity and | then interpret their confusion and (violated) trust as | consent. | shadowgovt wrote: | I will burn karma forever on continuing to assert, on | behalf of the average user, that even if they don't | understand the details they do know what they want. | | It's not like people didn't have the experience of using | Internet-enabled devices without an app store equivalent in | the nascent days of the Internet, where many options were | good, a few would inject malware onto your system, but | (most importantly) all of the options were _equivalent_ and | there wasn 't a "correct" one to choose. | | Don't make the mistake of assuming that people spend so | much on Apple products for no reason. A major portion of | the marketplace _likes_ the lack of choice paralysis. The | ability to run arbitrary code is one giant choice-paralysis | engine. Google has found a good middle ground in selling a | device that is basically configured as "safe by default, | but here's the break-glass button if you want to run | arbitrary code and maybe be more vulnerable to someone | tricking you into root-kitting your own device," but their | average customer would still rather never worry about the | risk of rootkits and they have the data to know that. | | If we are to be in the business of protecting the right to | free(-as-in-speech) machines in the mobile ecosystem, we | need to understand the average consumer that is paying the | bill for that industry to exist, and asserting they just | don't get it isn't how you start that process. | wyattpeak wrote: | This is one case though where that lack of understanding | leads to the right conclusion. The average user is giving | up nothing by losing the right to run arbitrary code, | because they never were running arbitrary code. | salawat wrote: | Which is why it's all the more important to fight against | it. | | Change your point a bit. | | People are fine with giving up Freedom because they were | never really Free in the first place. | | Circular reasoning is sucha seductive fallacy because | it'll fit any use case like a glove. | shadowgovt wrote: | Tweaking your wording slightly, it's basically the | fundamentals of social contract theory. | | I may have the freedom to bash my neighbor's head with a | rock, but they have the same freedom to do the same to | me. This isn't as useful as the freedom to sleep at | night, so we voluntarily give up this freedom. | | Reframing to the topic at hand: if the freedom to mutate | the code on my mobile device makes it more likely that | I'll get pwned by some clever social-engineering than the | odds I'll improve my quality of life by tweaking some | behaviors on the phone, then it's entirely rational for | me to give up that freedom. And, indeed, millions of | phone purchasers annually make that decision. | simion314 wrote: | >they never were running arbitrary code | | JavaScript is allowed on iOS and Android already. So if | Goole or Apple do not allow you to run some scripting | language you want then the reason is not security(the | sandbox and permissions should be enough and if is not | enough then it means the sand boxing is a lie). | fsflover wrote: | > The average user is giving up nothing by losing the | right to run arbitrary code, because they never were | running arbitrary code. | | "The average person is giving up nothing by losing the | free speech, because they never were saying anything." | pydry wrote: | Plenty of users run f droid. | shadowgovt wrote: | Hard to say how many though. | | ... which is, unfortunately, a weakness of F-Droid's own | making (for the right reasons!). Because they don't do | stat-tracking on users, they don't have numbers. So Play | Store is able to claim "1 billion active monthly users" | (as of 2015) with some certainty, F-Droid can give an | approximation and a shrug. | edgyquant wrote: | This is because most users aren't giving up anything, on | the contrary, they're gaining a more secure phone. | swebs wrote: | >How good are Pinephones[1]? Are there better alternatives? | | I like mine, but the ancient CPU needs a serious upgrade. | There's also the Librem 5, but it looks like they're heavily | back ordered. | johnbrodie wrote: | I got my Pinephone last week, and have been fairly surprised | that it's reasonably usable. I viewed the purchase more as a | donation and a signal that there is a market, but I've been | using it more and my Android phone less as the days go by. | | I'd encourage more people here to purchase one, even if just to | tinker with. There's so many "I'll buy one when it's ready" | replies, but that may never happen if there's no money to fund | the companies trying to make an alternative to Android/iOS. | arp242 wrote: | The biggest problem with "alternative" platforms is just the | lack of app support. | | I used to have a Nokia N9; great phone. But it didn't support | WhatsApp and I was out on the loop on the WhatsApp chat all my | other coworkers were in. | | Then there's things like banking apps, flight check-in apps, | food ordering apps, dating apps, etc. etc. _Can_ you do without | those? Sure, of course. But if I want to order food where I | live then the only option is to use an app. | | No platform will have any chance of any sort of adoption unless | it supports some way of running those apps. There are options | here, for example Jolla/Sailfish OS can run Android apps (no | idea how well that works in practice; the latest update says it | supports "Android 9, and the support for Android 10 is already | nicely on the way"). | | It's a "vendor lock-in" ecosystem that's worse than the Windows | lock-in of yesteryear IMO. | | Since I don't really use my phone all that much I decided to | "just use an iPhone" (because it's the only phone that's not | huge), even I think they're really horrible. | summm wrote: | No, it's the bad hardware. With high-end hardware, it would | be no problem to just run something like anbox and | immediately have most of the important apps running. Except | asshole apps that require DRM/safetynet of course, but I | don't use them on my current android phone anyway. | [deleted] | Calamity wrote: | Unless PWAs really took off, in which case, you wouldn't need | to develop for the custom linux phone - you would just need a | supported browser. | ficklepickle wrote: | PWAs will continue to be neglected. They don't allow | invasive tracking like native apps, and they don't get a | 30% cut. | | The web is dead. Kids today grow up using the "google app". | They did what AOL couldn't. | | I'd love to be wrong. | swiley wrote: | I keep hearing this and it's totally wrong. Desktop Linux has | a huge app ecosystem and arguably has more high quality | software than Android does. All of this works on the | pinephone and other similar devices. | arp242 wrote: | Okay, so how can I chat to my friends or companies with | WhatsApp on Linux? How can I order food similar to Grab or | Gojek on Linux? How can I get a date on Linux like Tinder? | | You can't. Sure, there are technological solutions to all | of those, but in the real world that alone is pretty much | useless. | Vrondi wrote: | You can use Watshapp multiple ways on Linux, including | the web browser version [https://itsfoss.com/whatsapp- | linux-desktop/]. | | Although, if you're using Whatsapp at all you're either | massively ignorant or stupid. I mean, giving Facebook | your phone number is just not wise. | ribosometronome wrote: | I think many would argue that thinking Facebook doesn't | have your phone number is either massively ignorant or | stupid. After all, it only takes one person you know | signing up and allowing access to contacts. | | That said, I am considerably less concerned about | Facebook having my phone number versus Facebook being | able to mine all my conversations to create a pretty | complete profile of who I am and what I do. | vineyardmike wrote: | > if you're using Whatsapp at all you're either massively | ignorant or stupid. | | Lets not name call here. Many people have different | motivations and concerns different than you. Most people | likely already gave facebook their number, or someone | else did for them through contact book sharing. | arp242 wrote: | And you still need the phone app for that Linux client; | everything is routed through that. | | Good grief, I keep bloody repeating this. Do you people | actually read anything? | | > Although, if you're using Whatsapp at all you're either | massively ignorant or stupid. I mean, giving Facebook | your phone number is just not wise. | | I'm a normal human being who values social contact and | doesn't want to pester all my friends in using some other | app, and a lot of businesses use WhatsApp here too. | | I am neither "ignorant" nor "stupid". This is literally | the worst of HN right here. Do you even listen to what | people have to say and consider perspectives outside of | your own? | ogurechny wrote: | I can't help but notice that it's not a "Linux"'s job to | do something about WhatsApp demanding this and that from | you. It's a problem (let's not belittle it), and it's | yours (well, you share it with others). | | Also, people who can't get in touch with you because you | don't use some fad-of-the-year app are not your real | friends. Tell them that you still use MySpace (wearing a | Myspace T-shirt), or prefer WeChat (a billion of users | can't be wrong), and see how it goes. | fsflover wrote: | You can use Anbox if you _really_ need some Android app. | ta9999 wrote: | Tinder does have a web interface, so does doordash (I've | never head of Gojek but I'd imagine it does too.) | | I thought WhatsApp also had a web interface but I | wouldn't use it anyway and there are similar chat apps | that do so why would you? | arp242 wrote: | > I've never head of Gojek but I'd imagine it does too. | | You imagine wrong. | | > I thought WhatsApp also had a web interface but I | wouldn't use it anyway and there are similar chat apps | that do so why would you? | | The web interface is just a proxy to the phone app. The | other "similar apps" don't have all my contacts on it. | skykooler wrote: | I use Sailfish OS and the android compatibility layer is | decent, but not perfect. Some apps have issues understanding | the network connectivity state, and photos taken with the | Sailfish camera app sometimes don't show up in the Android | file selector until the compatibility layer is restarted. | Other than that, most apps work fine. (I mainly use it for | spotify, slack and maps.) | megous wrote: | > It's a "vendor lock-in" ecosystem that's worse than the | Windows lock-in of yesteryear IMO. | | For regular companies, if they want to shoot themselves in | the foot by not being on the web, they're welcome. It's not | such a huge issue as it would be with government for example. | | Also "any chance of any form of adoption" is a bit | overstatment. I still use a dumbphone, and if I migrated to | pinephone, lack of the kind of apps you mention would | certainly not concern me. Even then, many apps have web | alternatives here, or alternative GPLed clients for Linux | (that includes whatsapp, apparently), that can be made native | on pinephone. | arp242 wrote: | "Not being on the web" doesn't seem like a huge footgun. | There are probably more people with a mobile phone and no | traditional computer than the other way around, especially | if you go outside of the US and Europe. | | Revolut, Grab, Gojek, Tinder, WhatsApp, and many more are | all successful that offer a mobile-first solution, with | either no web/desktop client or just as a an additional | client (usually with fewer features, and/or still requiring | access to a smartphone). | | > Also "any chance of any form of adoption" is a bit | overstatment. I still use a dumbphone | | Of course it's possible; but depending on what your | interests in life are you will pay a price, and in practice | for the vast majority of people the price is too large to | use a non-Android/iOS compatible device. | | > many apps have web alternatives here, or alternative | GPLed clients for Linux (that includes whatsapp, | apparently), that can be made native on pinephone. | | Unless they somehow hacked the encryption, you're still | going to need a connection to the phone's WhatsApp client. | necovek wrote: | > Unless they somehow hacked the encryption, you're still | going to need a connection to the phone's WhatsApp | client. | | Apologies if I sound a bit naive, but what would be there | to "hack"? | | WhatsApp clients are available for many platforms, | whatever encryption they might be using can easily be | figured out by decompiling the code, and if they are | using a key on the client side to do any encryption, that | key is available for extraction from the distributed | client too. | | Basically, my question is what can a closed source | downloadable client do to protect the encryption it uses | to connect to a public network? | arp242 wrote: | Yes, technically I'm sure there are ways around it if you | try hard enough. No one does that though AFAIK. | Vrondi wrote: | If you're using Whatsapp, you've got zero interest in | privacy anyhow, and so you're never going to consider | these issues in the first place. | mdoms wrote: | Well first of all that's just total BS, but secondly this | thread isn't even about privacy. None of this is. In fact | your comment is the very first mention of that word in | this thread. | Vrondi wrote: | You can do the banking (from most banks) and food ordering | from a web browser on your smartphone. No apps required. | Grubhub, Uber Eats, Doordash, all those sorts of things. Most | of them have a web version, and you can use that instead of | an app most of the time. Just shake loose the Apple-induced | app mentality that keeps you locked in. | arp242 wrote: | Aside from that most of those specific services aren't | available in my location, you really can't. Do you think | I'm stupid and haven't tried? | sneak wrote: | A lot of hardware devices require use of an app these days. | Any with wifi will also require use of location on ios and | are thus unusable if you have location services disabled | systemwide. | | I just returned some IP cameras recently because of this. | meltedcapacitor wrote: | I dream of a dual phone (conceptually 2 phones glued back to | back) where you do web and open stuff on one side, and the | inevitable proprietary apps on googled-android on the other | side, with a quick button to freeze the prop side (for power | saving and mitigating spying). | | (Or same where the 2 phones are somewhat multiplexed on a | single screen, preferably in hardware.) | fsflover wrote: | You can do it on Pinephone with two different independent | operating systems, one on the eMMC storage and the other on | the microSD card. When you put in the microSD card, the | devices boots from it. Otherwise it boots from the internal | storage. | pmlnr wrote: | > The biggest problem with "alternative" platforms is just | the lack of app support. | | Websites. | franga2000 wrote: | Ditching Android is not a good solution - see the application | support problem on Linux for why. What we need is a serious and | well-funded Android "distro" that lifts Google's dumb | restrictions and reimplements Google's proprietary APIs for | compatibility. MicroG is doing very well on that second part, | but due to lack of funding still has far too many holes. | meltedcapacitor wrote: | No amount of funding can fix this, at least for all use cases | where apps communicate via google services between phone and | app HQ. The average bank is not going to send data between | bank and user via microg-operated pipes instead of google- | operated pipes because 0.1% of their users don't like google. | nromiun wrote: | > We don't allow apps with any code that could put a user, a | user's data, or a device at risk. | | If Google thinks the ability to execute arbitrary code puts | users' data at risk why don't they go the full iOS route and ban | everything, from scripting apps to other JS engines beside | Chromium? | | I am so sick of their behaviour, the only reason I am still on | Android because things like F-Droid still exists and iOS is even | more closely guarded. | cookiengineer wrote: | Technically, f-droid is a walled garden of sorts, too. | | The difference is that fdroid is actually helping users through | being transparent about it. The other stores and their policies | usually are not transparent, and therefore nobody knows whether | there were financial motivations involved in the decisions. | | What I don't like is google claiming droidscript harms Android | through a malicious AdMob ID. Even if that were the case, what | happens to the 100.000+ installs that are rolled out already? | And the Apps built with DroidScript? | | If there's no support you can contact (at Google) and no | changelog on what happened, the policies get intransparent and | look more like a financial motivation rather than a decision | that seemed to be beneficial for the end-users. | CivBase wrote: | I can add third-party repositories to F-Droid. The default | F-Droid repository may be a walled garden but as far as I can | tell the app and protocol are definitely not. | cookiengineer wrote: | A walled garden doesn't necessarily exist solely of | proprietary protocols and code. In the case of fdroid, apps | that violate open source licenses are not allowed. | | So, technically, from the perspective of a company like | Facebook, fdroid is a walled garden they cannot enter | without open sourcing their code. | | (I'm not saying fdroid's policies are bad. I'm just trying | to make an argument for the counterside and am playing the | devil's advocate here.) | | PS: I know about third-party repositories. That's not the | point, it's differences in policies and their effects on | the ecosystem I want to discuss because I think they're | more important. | | Google advocates always make the argument that endusers | "can just root their phones and install the APKs anyways" | which is similar to f-droid with an external repository. | Most non-technical endusers simply won't do that. | _ZeD_ wrote: | no, literally: you can add any repository you want, even | with proprietary code. | CivBase wrote: | "In the case of fdroid, apps that violate open source | licenses are not allowed" ...on the main repository. | AFAIK, there's nothing stopping Google or anyone else | from setting up their own F-Droid repository to | distribute apps with proprietary code. The normal F-Droid | app should be able to use a repository like that just | fine. | | EDIT: Addressing the "PS" that was added... | | > Google advocates always make the argument that endusers | "can just root their phones and install the APKs anyways" | which is similar to f-droid with an external repository. | Most non-technical endusers simply won't do that. | | Android skirts around the criticisms fielded towards iOS | by technically allowing users to install and distribute | third-party apps. The real problem with Android is that | the default distribution platform (Google Play Store) is | a walled-garden, proprietary app with such a massively | disproportionate market share that most users don't even | realize there are alternatives. And Google ensures their | store will always be the default because they hold their | proprietary Google Play Services for ransom. And Google | Play Services is so valuable because it provides many | convenient features and functions, including some which | used to be part of the operating system itself. | cookiengineer wrote: | I totally agree with your points there. | | But I think that the main issues of Android (or AOSP) are | even a level deeper than just the Play Services. | | There are lots of initiatives that try to create a free | ecosystem for themselves (Lineage, /e/, Carbon, et al), | with their own stores and sources for Apps. Most of them | have varying degrees of success, due to gapps | counterparts like microG [1] not being able to keep up | with what Google's Play Services provide API-wise. | | It's an absurd amount of features, and a lot of API | workflows to consider. Bugs and crashes everywhere down | the user experience...but hopefully they're getting | slowly to a stable state. | | Coming back to the real problem: I think it's actually | the Vendor deals that Google did. Most of the | manufactured devices are almost impossible to flash | without reverse engineering skills, and this is | intentional. Having to wait more than 3 months to unlock | a smartphone's bootloader because the manufacturer | doesn't give a damn about you is just one of many | examples; setting aside that most of the unlock | procedures are meant to be understandable by developers- | only. | | I think that in order to "really free Android" the | creation, flashing, updating of ROMs has to be | standardized in a more homogenic way (partition fatigue, | anyone?), because it would allow a graphical and easy-to- | use software to be built. That would allow to flash a ROM | without e.g. losing all /data and more importantly - be | usable by end-users without technical knowledge. | | In my social circles I'm the guy that flashes LineageOS | to their devices, because most of the terminology is so | far away from the reality of most users that they have no | single clue where to start. The amount of knowledge that | is required to flash your device (and be Google-free, | even in Apps with e.g. with Appwarden [2]) is absurd and | as long as this is the case it will be a niche that's | being ignored by politics (and potential regulation laws | that would force Google's policies to change). | | [1] https://lineage.microg.org/ | | [2] https://gitlab.com/AuroraOSS/AppWarden | CivBase wrote: | I kind of agree, although I'm not sure it's fair to say | that the problem with Android is that you can't easily | replace it with another OS. That's not really an | _Android_ problem. | | It's incredible what a smartphone can do given its form | factor and a lot of that is thanks to their use of SOCs. | I have no experience with OS development for SOCs, but I | hear it is much more involved because a new version of | the OS must be created for each SOC - specialized to work | with the device tree supported by that chip. As I | understand, Google doesn't do that work. Manufacturers | have to fork Android and implement support for their SOCs | on their own, then they have to maintain that fork as new | Android releases keep coming. It's no surprise then that | manufacturers don't want to invest addition support into | other operating systems like LineageOS. | | There's probably a better way to do things. I'm sure | manufacturers could make information more available to | OSS communities which would allow them to do the work | themselves more quickly and effectively. Like you | mentioned, standardization would also go a long way | towards making our current smartphone ecosystem more | friendly to third-party OSes. But ultimately, none of | that is really _Android 's_ fault. | | Even without Google's vendor deals, I doubt the likes of | Samsung, Motorola, or any other major smartphone | manufacturer would start supporting LineageOS. It's hard | enough to even get Linux suppport from desktop/laptop | manufacturers. LineageOS is a really amazing project, but | I don't think it's the one paving the way for open source | operating systems on smartphones. I think most of that | work has to come from the hardware side with projects | like the PinePhone. | donio wrote: | Would you call a Debian system a walled garden too then? | Phylter wrote: | You may not realize this but Apple allows scripting apps on | their platform now. There are two notable Python language | interpreters Pyto and Pythonista. There are some shell | environments too that include Unix style command shells and | different interpreters. | pdkl95 wrote: | >> "Can't you just make us a general-purpose computer that runs | all the programs, except the ones that scare and anger us? | Can't you just make us an Internet that transmits any message | over any protocol between any two points, unless it upsets | us?"[1] | | The War On General Purpose Computing continues. Far too many | business models depend on selling general purpose computers as | "appliances". They presume it is possible to sell a computer | that isn't Turing complete. | | [1] https://boingboing.net/2012/01/10/lockdown.html | therealjumbo wrote: | I think the more interesting cases are 3D printing of | weapons, and in the future programmable biological material. | One of his statements is that he himself, may not like the | applications enabled by general purpose computing, but that | even if he personally doesn't like them they shouldn't be | outlawed or banned. | | Google messing around with their app store is peanuts | compared to the government banning or restricting 3D printers | because they could be used to evade gun control for example. | FredFS456 wrote: | There's nothing wrong with the appliance business model - | embedded devices that use microcontrollers are Turing | complete and yet no one complains about those. It's only when | devices are marketed as general-purpose (i.e. smartphones, | PCs) but are locked down to prevent running arbitrary user- | loaded code that it becomes a problem. | glsdfgkjsklfj wrote: | > no one complains about those | | _YOU_ do not complain about those. | | I complain about my TV showing me ads. I complain about my | car not resetting one annoying light when i change the oil. | I complain about the proprietary connectors on my generic | batteries that restrict me to one brand of power tools | (that get's discontinued for new proprietary connectors | every 2 years). | | It's fine if you love exploitation capitalism. But don't go | assuming crap about others. | CivBase wrote: | As far as I'm concerned, as soon as you've publically | released an SDK and invited third parties to form | businesses off of developing software for your device, you | have no right to represent the device as an appliance. At | that point it is obviously a general purpose computer. | criddell wrote: | Would you call things like the Amazon Echo and Sony | Playstation general purpose computers? | CivBase wrote: | Yes. | horsawlarway wrote: | I disagree. | | I also mind when things like my tractor or my car are | locked down to prevent my ability to use a 3rd party repair | shop, repair it myself, or make changes so the item better | suits me: The person who fucking owns that computer. | | I think there's a very real risk that the concept of | "ownership" is going to die if we continue in this fashion. | | Do you own a thing if you're prohibited, intentionally - by | the manufacturer - from making any changes? I'd say no. | | Do you own a thing if it has to check in to an online | service controlled by someone else before it works? I'd say | no. | | Instead you're just renting, and these companies are | intentionally rent-seeking (in the worst possible way). | Grimm1 wrote: | Add that on to the fact that almost everything is rent to | buy with "incentives" shoved in your face for never | actually finishing out the contract to own something, | like your phone. I think ownership for everyone outside | of some select few is in very real danger and I've | thought so for some time. | adreamingsoul wrote: | I agree. | kube-system wrote: | I still like my car to have an immobilizer, and locks on | the ignition and doors. There is certainly some level of | access controls that most people definitely want. | dTal wrote: | And who owns the keys to those things? You, or the | manufacturer? | kube-system wrote: | Many vehicles have the keys stored in their | ECU/Immobilizer signed/encrypted with the manufacturers' | key. | | There are some (mostly older) where you can directly | reprogram the eeprom but those cars are easier to steal, | because anyone can also do this. | salawat wrote: | Those are still "yours" in a sense, so don't fall into | the feature set the poster you are replying to is talking | about. Though the immobilizer somewhat skirts the line. | (Or at least from my personal view). | | Think John Deere implementing software lockouts in the | tractor ECU. That is nothing more than forcing their | business model onto the end user through digital logic. | stjohnswarts wrote: | Those are the sorts of things that need to be legislated. | You should not be able to lockout people from ECU for | example, but the person would have to be willing that a | compromised ECU can blow up/damage their engine and they | will have to accept that the warranty is invalid the | second they mess with the ECU programming. | Jiro wrote: | That's no good because the car can malfunction for | reasons other than damage caused by the ECU, and the | warranty covers those reasons too. You shouldn't have to | lose your warranty on part A because you modified | unrelated part B. | [deleted] | kube-system wrote: | They're just as much "mine" as an iPhone is. It is | extremely common for digital authentication of physical | keys to be protected by encryption or signing by the | manufacturer. | horsawlarway wrote: | Sure, but to be as blunt as possible - You don't own your | iPhone. Full stop. | | You are renting it from Apple. They control what you run, | when you run it, what you can install, what you can | remove. | | By default, they're shipping you a device where you're | literally not the root user. I can't possibly think of a | clearer argument that you're renting, and entirely at the | whim of Apple (which does have root access, and actually | owns the device you happen to be using). | | The issue to me is that ownership implies the right to | modify and change a thing, especially in ways that the | original manufacturer doesn't support or agree with. | | If the manufacturer is still calling all the shots on | your device, you don't own the device! | kube-system wrote: | Sure. No matter what your definition of "own" is -- I am | saying, my car is already the same thing. | | The question is, do we have a good solution to enable the | average user to own their device while also ensuring | security _and_ availability? | | We have two options with cars, either intentionally | implement a security hole, or let the manufacturer "own" | it. Because the other option -- tell the customer they're | SOL when they lose their private key, is not a solution | that is practical (grandma will lose hers) or possibly | even legal (manufacturers' obligation under lemon law). | kelnos wrote: | That's not what people are taking about, though. | Certainly people want security features that make it more | difficult for someone else to steal their car. But those | features should be under the control of the owner of the | car, not the manufacturer. | kube-system wrote: | It's really hard to do that _and_ make the thing a | consumer-friendly product. We 've been trying to solve | this problem for most of the history of computers, yet, | attacking authentication (often indirectly) is still the | #1 way that computers are compromised. | | Most people simply are unable to properly handle private | keys. All of the systems with the highest levels of | consumer satisfaction have third parties that manage (or | at least can override) keys on the user's behalf. Systems | that do what you're suggesting are notoriously plagued | with issues surrounding key management to the point where | they never reach mainstream use. i.e. PGP, bitcoin, etc. | stjohnswarts wrote: | I think as long as you're willing to give up your | warranty on your tractor/car/whatever because you're | hacking on it with 3rd party tools/firmware you should be | able to do whatever you want with it. Just remember it's | a two way street and everything has a price, you will | have to give up something to get something. | dalbasal wrote: | >> There's nothing wrong with the appliance business model | | Do you mean that literally? There is daylight between | "appliances shouldn't exist" and "there's nothing wrong | with appliances." I mean, I agree that microcontrollers and | smartphones/PCs are different. There's obviously | _something_ wrong if problems emerge at some point along a | scale. There 's no real defining line between GPCs and | microcontrollers. | | I also don't think it's a problems if someone somewhere has | a locked down PC. It is a problem if most people do. | pdkl95 wrote: | https://en.wikipedia.org/wiki/Tivoization | | So many people complained about not being able to run their | on firmware on the TiVo that it caused the GPL to be | updated to version 3. | | While Turing machines are universal, there are practical | limitations of the hardware. A tiny embedded | microcontroller with _kilobytes_ (or _less_ ) of memory is | not an attractive target for customization or repurposing. | Today it is probably easier/cheaper to simply buy a | Rasberry PI or similar. | | Also, some companies understand that they are in the | business of selling _hardware_ and don 't particularly care | what you do with it. | dalbasal wrote: | It's useful to see through a principles/fundamentals lens. | General Purpose Computing that isn't Turing complete, or | whatnot. Genuinely useful. | | But, the "freedom is indivisible" take is not _always_ | useful, particularly not on its own. There are practical | realities to contend with and the world of appliance- | computing is big and complicated. A lot of issues relate to | back competition, or lack thereof, for example. | | >> an Internet that transmits any message over any protocol | between any two points, unless it upsets us? | | Look... The problems coming to fruition today have been | talked about on HN/etc. for decades. They're hitting the | political stage, and all those discussions have near zero | impact. The ideas were never translated to general | consumption form. We always prefered to be right over | effective. | | The average politician has never stops to think about how | www, linux, email, gnu, wikipedia and such are possible, what | that means. If they did, they don't have the vocabulary for | it. We didn't give it to them. Just let them read "cathedral | & bazaar" or somesuch. Instead of working we snarked our | incomprensible principled platitudes. Worse, we arrogantly | assumed we'd win anyway. The internet couldn't be locked | down. A country who tried to make Great Firewall would fail. | Property rights would be redefined^ because digital copyright | is impossible and the internet is more important than Beatles | royalties. How wrong we were. How seldom we remember it. | | Classic ideologies like Marx, Rand & such tend to fall into | this exact arrogant trope. I am so right about everything | that it's all inevitable. History will conspire. The arrogant | fools. Us too. | | Think of all the pull that Disney, EMI, etc have. Every | politician can recite the case for copyright verbatim, along | with the other talking points. Protecting their interests is | literally one of the main things the US uses its might for. | It's always a non negotiable demand in trade relations. Every | politician or hack commentator knows to cite "stealing | intellectual property" as a complaints against china or | whatnot. Major digital legislation (eg DMCA) was written by | and for them, along with other laws. | | Conversely, very few politicians or hack commentators could | articulate a digital freedom case, a case against copyright | militancy, or a case the against software patents. Those that | can will be freestyling it. No "talking point" sheets. No | consistency. No real lobby. No solidarity. No effectiveness. | | How the f##k do EMI & Disney have much more influence than | us, or at least Google & such? We are arrogant fools. That's | how. They're entertainment industries. We're the engine of | modern economies. DMCA affected the tech business just as | much as Disney. We even had status quo on our side, so all we | needed was a hung jury. How did we lose this? It's a joke. | Like Mike Tyson losing to McBride. | | Right to Repair should have been long won. We should be | battling for OS _mandates_ on the back of it by this point. | | So... where are we now? Politicians and journalist-types are | literally starting to think of regulating social media as a | "common carrier." Concepts recycled from early 20th century | Telcom sagas. Not "neutral" carriers. Not "open" networks. No | "free as in freedom." In fact, it seems like no idea from the | personal computing age has influenced anything. No one who | understands FOSS or how the www works is even in the room... | the room where decentralising an internet-based | communications network is being strategized. Do we realize | how big a failure this is? | | ^No shade intended. I agreed ATT. I still do in the abstract. | But, the lack of "what we need to do" was a mistake, IMO. | History does not drive itself: | http://www.paulgraham.com/property.html | Aperocky wrote: | It's inevitable, given the scale that has to happen before | ASIC become remotely profitable and how cheap general purpose | computers are today. | | Just buy some cheap SOC from the market and load the | software, close it in a blackbox and call it a day. It's | going to be the future now. God forbid they also talk to | internet and runs an OS version from 2014 and never gets | patched. It's a botnet paradise. | viro wrote: | the issue is we as a market expect them to be responsible for | the security of the OS and its apps. Its very difficult to | manage security without control. | kelnos wrote: | Only from certain perspectives. | | If I'm a network engineer at a company, I need full control | of the network to ensure security. As just a user of that | network, I would have to understand that I don't have full | control for security reasons. But it's not _my_ network. | | When it comes to consumer devices, there's no reason why | security requires locked down devices that the so-called | "owner" of the device can't control. The end-user should | always be in charge. If the manufacturer chooses to put | escape hatches in front of features that could lead to | security compromise, then that's fine. But those escape | hatches should exist, and I refuse to buy a general-purpose | computing device that doesn't have them. | | The Google vs. Apple argument here is specious; the locked- | down nature of Apple's devices is not necessary for their | better (but honestly still not great) security, and the | less-locked-down nature of Android is not what makes it a | security minefield. | leowbattle wrote: | From the article parent linked: "It doesn't take a science | fiction writer to understand why regulators might be nervous | about the user-modifiable firmware on self-driving cars" | | It's not just regulators who are nervous! What if someone | modifies the firmware in their self-driving car and | introduces a bug that causes the car to crash and kill | someone? | adrianN wrote: | Then presumably we do the same for that as we do for other | illegal modifications or reckless driving today. | seany wrote: | You mean, like people can do on purpose right now? | ballenf wrote: | The battle really parallels the larger right to repair | debate. (Especially if we realize the latter is probably is | better called the right to exercise control over purchased | goods.) | oneplane wrote: | Does it? Everyone is quick to judge but coming up with an | alternative is hard enough that nobody has done it so far. | | With scale comes scaling issues; general purpose computing | and repairability need a different commercial model that | doesn't match with the currently used models. | | This leaves two avenues: | | - Make it worse for everyone but keep it going | | - Make it worse for everyone in a different way and keep it | going | | I don't know of a good solution here, but I do know that | it's a sucky situation and the many "good ideas" to fix it | aren't actually making it that much better. | | Current scenario: | | - Manufacturer on the hook for most things but also | controls most things | | - End-users that fall within the 90% bell-curve are fine | | - End-users that fall outside of that are royally screwed | and they don't even know it | | - Users that are not end-users are screwed, but they know | they are | | So far all I have seen is: | | - Manufacturers still on the hook for everything but they | get to control less | | - Everyone gets a little better but also a little screwed | now | | - The 10% outside of the curve don't get as screwed as they | did but they still don't really know that they are screwed | | - The non-users don't get screwed the way they used to but | still get screwed | | To clarify: | | If I were to manufacture something, express what user | experience comes with my 'thing' and warrant that | experience to a certain degree, I don't want to be on the | hook for any service or cost outside of that. The more I | get to control, the smaller I can make the risk. That means | I can also plan ahead better and reserve resources, but not | so much that I don't have resources for something else left | over. | | This also means that if someone wants a different | experience (i.e. they are not my targeted audience) or if | someone wants to do something I cannot verify, I really do | not want to be on the hook for that. | | In total that means: | | - If what I want and what my customer wants is similar | enough, we're both happy | | - If a small percentage wants something else, I cut my | losses and simply don't serve their needs as soon as the | cost of maintaining that deviation is bigger than what I | would make off of it (short term and long term) | | - If someone does something I don't have control over, but | they do come to me to fix their problem, I don't want to be | responsible for that, and I don't want to do any research | on the possibility that something I made happened to break | at the same time the customer broke something else; I just | want a blanket "I am the captain of my UX" rule and be done | with it | | Now, I'm not saying this is ideal, or that I am an actual | manufacturer, or that this is specifically what Google is | doing (or Apple is doing for that matter), but I am saying | that you can't have it both ways. Want something cheap and | abundant? Gotta have scale. Can't have scale if you make a | bunch of risk, add a lot of differences and support more | than your middle-of-the-bell-curve. This sucks, but it's | also not easy as saying "let me do what I want", because | what happens to you and your device has side-effects, and I | really don't want to get affected by something someone on | the mobile network (or wifi network) I'm on did to their | 'personal' and 'owned' and 'freedom' and 'muh righz' | device. | | Or in a high contrast (black-and-white/good-or-evil) line: | If you want to be on a shared service, play by the rules or | get out. (reality isn't that high of a contrast obviously, | but it drives the point of externalities home a lot | quicker) | EvanAnderson wrote: | If the network can be adversely affected by a "muh righz" | device then the network's threat model is shoddy. Taking | away freedom to prop up a badly engineered product isn't | fixing the bad engineering. | | The Internet is a good example. The threat model has been | far too trusting, historically. We're paying for that in | a variety of different ways. Burning it all down and | starting over is impossible, so we're stuck in a mess. | Maybe we can do better in the future. | oneplane wrote: | Indeed. I would perhaps formulate it slightly differently | but it is what it is. | | This is also something that feeds the 'it used to be | better back in the day' feeling, because some aspects | might actually have been better because too many possible | threat actors back then wouldn't take internet seriously | and as such weren't an actual threat. So it wasn't safer, | it was just less-attacked. As a result where was less | pressure to make hardened clients and servers, and as a | result of that, it meant that things like digital | signatures were extremely optional (and computationally | too expensive to include for the sake of it). | | On the other hand, it's also the openness that brought | its success, and may very well cause its downfall. (that | said, nobody has been able to come up with a worthy | replace ment so far) Having no single owner makes it | better in that regard, but also worse. | ShroudedNight wrote: | Your primary alternative already sounds materially better | than the 'Current Scenario' you describe: | | 1 - I'm not sure I've encountered anybody that | universally falls within the 90% 'ideal' coverage. The | more hostile things are to outliers, the more difficult | everyone's life becomes. | | 2 - As far as I can tell, the slack that allows the | bottom and top vigesimile (? 1/20th) to survive is also | what allows the flexibility to foster the discovery of | novel technical and societal configurations that are | materially better than the status quo. That's how a kid | from a family of coal miners has a path to making | significant contributions to NASA. | oneplane wrote: | As for point 1: that depends; if your business operates | on keeping the center of the bell curve happy, and you | don't like to risk that, than implementing something that | degrades that doesn't seem like a sound business | decision. Keep in mind that this is from the 'producer' | perspective. | | As for point 2: that should indeed be how it works, but | the circumstances have changed, especially for large | scale general purpose computing, and for various reasons | and stakeholders as well. This is also the (wrong) fuel | on the (wrong) fires in the current discussions on | ownership, repairability and shared systems; it often | tries to compare the "now" with a chosen "back then", and | leaves out externalities causing the whole comparison to | be useless. | | For example: it used to be that you could run whatever | code you wanted and you didn't need anyones permissions | and nobody could stop you. Now, at scale, that means | everyone from teenagers at schools circumventing the | implementation of a usage policy to state-level actors | extracting information would run whatever they want. They | are of course already doing that to some degree, but this | would be so much bigger and so much easier when you just | 'run whatever code appears at the JMP', we might as well | not have an internet. | | This, in turn, means that you have to have some form of | control, and some form of distribution or supply of such | control as neither the will, nor the skill exists at the | required scale to have everyone do this individually. How | does one assert such control? Cryptographically. And now | you're in PKI hell, or you're in DRM hell with DRM | servers that go offline and render systems unusable. Oh, | and you get DMCA and Legal requirements for free too. | | It would be amazing if we could figure out a way to | operate shared systems, and have some form of delegated | control without having a PKI-like authority as the only | way to ensure it. But I haven't seen it yet :-( | | And this is just one of the many issues. | | Take hardware for example; you can do plenty of nefarious | things with hardware, and the user would never know about | it. Want to backdoor an audio module so it constantly | streams what the microphone picks up to an actor of | choice (a social media company, advertising company, your | abusive spouse, the government of a state that will hurt | you on detection of dissent), you can do that and no | normal user would ever notice. How would you then prevent | such modification? Well, you could make hardware hard to | access or hard to modify without visible marks. That's | one area (slightly) covered, but then there is the | software, imagine hacking that remotely. So how would you | do something about that? Perhaps signing the software and | checking the signature. Bam, back in PKI hell. | | And if you were to make hardware hard to access, now you | have a bad UX when someone comes to your service | department and gets presented with a huge bill because | your device had to be rebuilt because your kid put puke | in the microphone hole. But if you make it unsafe you | have the other problems again. No winning deal there. Or | what if you use seals, now you have no idea why the seals | are broken. Did someone tamper with it? Was it just a | service call that's not registered in your system because | it was done elsewhere? Who can you trust? What if you fix | the reported issue but now something else breaks and you | don't know if you did it or the previous tech did it? | Guesses everywhere, everyone is sad, nothing works. yay. | | Again, no real solution here. Say you do the (not very | often implemented) secure boot method where you insert | your own CA; that's great for yourself, not great for a | shared system, because now everything else that requires | you to be securely booted needs to trust that CA too. | This, hoever, is an area where you can do a partial fix: | if you just want local verification and you have the CA | and CT you can at least know for yourself. But that | doesn't work at scale. We can't expect billions of people | to be PKI experts. And we can't expect them to understand | the ramifications of the lack of verification either. | (which includes effects on them, but also effects on | everyone else they are in contact with by proxy) So now | you still need that 'magic' central authority making a | policy and a verification for that policy and | enforcement. PKI hell all over again! | | (keep in mind, I don't name PKI hell a hell because PKI | is bad, I think it's great and I love me some hashing, | public-key cryptography and root-of-trust chains -- it's | just that there is no solution right now where you don't | end up having an authority that can use it for good and | bad at the same time) | | There are a lot of scenarios where we could mitigate | 'some' of it: | | - Authenticated core but leave peripherals alone (your | mainboard and CPU and AV chain would be on its own, but | your keyboard can be key logging you as much as you want) | | - Unauthenticated mode but no interaction with shared | systems (would work great for things like farming | equipment) | | - Offline or do-it-yourself mode (again, no interaction, | but you'd be offline anyway) | | But then you're still in the realm of real-world abuse | (want to know your ex'es password? backdoor the keyboard! | steal your boss's documents? backdoor the printer!). | | I don't know how to fix all of this, but removing all | forms of authentication and still having shared systems | isn't the way. | ShroudedNight wrote: | > just 'run whatever code appears at the JMP', we might | as well not have an internet. | | I'm old enough to have used the internet with a computer | running Windows 98SE. As far as I can tell, besides data | throughput, only webmail, maps, and media streaming have | gotten materially better since that time, and even those | peaked in an era when people were still running Windows | XP SP3. | | Despite all this froth about how we need to lock stuff | down within an inch of its life with manufacturer- | specified code verification, (North American) banks still | seem to mostly be using the same terrible authentication | policies they were 10, even 20 years ago. | | The hardware problem isn't new; phone taps have been easy | to install for decades. The world didn't end, nor did we | shut down the telephone network. | | In re software, we could easily strengthen owner trust in | systems without having manufacturers ensnare us in | straitjackets. Trust on first use could allow an | infrequently-updated chain loader to verify subsequent | components without depriving the owner of using the | system as they desire. Hardware tokens, or physical | buttons with dedicated circuitry could prevent certain | system functions from being configured / updated without | direct user intervention. 'Trusted' execution | environments could be used to run software of particular | significance to the device owner. We have an enormous | quantity of tools in our tool box to improve the security | of systems without relinquishing ultimate control. | | Ultimately, though, liberty will always have some | irreducible risk. It's not obvious to me why we should be | valuing status-quo business plans to its detriment. | oneplane wrote: | The issue is that the users are not capable of overseeing | the consequences of their actions, and when you function | in a shared system that is not great. (understatement of | the year) | | Even technically skilled users won't benefit from a | construction of 'trust on first use', when was the last | time you verified the host key of a system you SSH'ed | into for the first time? How do you trust a system purely | on something like that? And even then, when you got an | error that the host key no longer matched, did you go on | a research run to figure out how this might have | happened, or did you just replace the key in your local | known hosts cache and went on with your day? | | What about websites, do you disable all CA's and just use | local key pinning on all the websites that you visit? | This is something you could do right now. But you won't, | and neither will anyone else because it is far too | inconvenient. It makes the entire thing useless. And | every time you send an email, are you going to verify the | fingerprint of the supplied certificate as well? | | While it might not obvious to you, the feasibility of | this at scale is something you can figure out by simply | talking to users, looking at A/B test, comparative | research, and looking at the security configuration of | various user's systems and asking why they might have | chosen the configuration as it is, and what the impact to | them, the people they interface with and the internet as | a whole might be. | | wrt phone taps: it's possible and not the point (and not | useful; the Americans did plenty of local and global taps | and almost none of the broad taps yielded anything useful | over 10 years, it was only the highly targeted taps that | yielded real results). It's also not froth, "locking up | stuff" and "straight jackets". It's about a hard problem, | with everybody having an opinion but nobody having a | solution. And the only thing people seem to want to do in | such a scenario is apply a scorched earth policy which | besides the obvious destruction doesn't yield a solution | either. With the current devices and services there is so | much personal data, proximity and interaction that the | value and impact is much higher than your landline at | home. The point isn't to make it perfect or perfectly | secure, but to make it hard enough that it isn't an | attractive broad-spectrum target anymore. Making it | cryptographically hard to hack into a baseband, a bootrom | or kernel is a very effective method to make this | protection a reality, and so far there has not been a | successful alternative presented by anyone, anywhere. | | Ultimate absolute liberty is a fallacy, externalities | exist, and society doesn't work in anarchy (but doesn't | flourish in strict hierarchy either). Until you can | manipulate time and space, and modify matter at a | subatomic level, you are and will always be dependant on | externalities, and as such you have to work with those. | How hard you make it for yourself or others depends on | the degree of society and civilisation you can live with. | You don't control the BGP tables on your ISP's routers, | but that seems to be fine for all the millions of users. | But all of this is straying away from the topic at hand | quite significantly. | | (Edit;) As to the 'value status-quo business plans': that | is not something we value, but something the producers of | some large-scale hardware and software manufacturers | value. They aren't society's friend, but they do need it | to buy its products. And if the USP of the product is | something you want to remove, then the manufacturer is | probably going to try to prevent that. This would be | 'fixed' by you getting what you want and they getting | what they want, but that is not technically feasible (or: | has not been shown to be technically feasible yet), hence | the long blocks of text describing that problem. | wwarner wrote: | Agreed. I would feel better about this if I didn't think | apps and local computing were really important. The | alternative to phone apps is the web, but the web will | never be fast (imo) and is simultaneously getting less open | every day as well. | bakatubas wrote: | The web is the way for universal exposure. Regardless of | speed it's the only standardized, universal and widely | used interface. | | WebAssembly will be the ticket there--once it's developed | a bit more. | | That being said, nothing compares to native. You could | have shitty hardware by today's standard with amazingly | performant software if there weren't so many damn layers | in-between. | | People are fickle with hardware though and we devs need | things to slow down a bit to appreciate the nuances of | each device! | MayeulC wrote: | The right to purchase. | | It's become an issue of defining "purchasing". But | companies don't want us to purchase appliances, they would | be much happier if we could rent them. | utexaspunk wrote: | Gotta get that steady income. We're quickly becoming a | society split between rentier capitalists and renters | MayeulC wrote: | On the other hand, if they expected us to rent phones, I | imagine they would be a lot sturdier... And probably find | a second life for them, though that's happening: | https://arstechnica.com/gadgets/2021/04/samsung-starts- | offic... | ticviking wrote: | And I would. At much much much lower prices | throwaway_4747 wrote: | Soon you will own nothing and be happy! According to the | great reset and the WEF. | Loughla wrote: | I have had my same fridge for 10 years, with no signs of | failure. Unless the monthly payment was $3.00 or less, I | would be paying more than I should starting in June. | | The rental/do not own anything model is just awful, in my | opinion. | sdenton4 wrote: | For appliances, the vulture capitalists are building | things to break sooner to get you to buy more often. | Loughla wrote: | White goods are relatively easy to repair, though, and | the parts tend to be relatively easy to find as well. | brobdingnagians wrote: | Totally agree. The more time passes, the more I realize | that I want to own what I have. I've grown more selective | about what I purchase in general and I've become more | minimalistic; but if I want to have it at all, then I | want it to be mine free and clear. Especially when it | comes to tools, land, and personal items. I want Good | Quality and paid for with cash. | | I tend to use things until they completely wear out, and | I get really good life out of them. This makes them very | cheap compared to the usage pattern of upgrading all of | the time. Renting would be very expensive lifestyle; and | my usage pattern is more environmentally friendly to | boot. | spicybright wrote: | Couldn't agree more. Anything you don't own 100% can be | put in jeopardy totally at randomly. If it's something | important that can be incredibly stressful. | colonelpopcorn wrote: | I think the trend of soft social credit score via big | tech makes this an even dicier proposition. | [deleted] | zerd wrote: | Leasing usually isn't cheaper than owning long term | though. So your total cost will most likely be higher. | echelon wrote: | Apple is guilty of this too. | | No general computing company should be the single ingress | point to running on their platform. For platforms with | significant penetration, this is a market monopoly. [1] | | For Apple, it's iOS and, increasingly, MacOS. | | For Google, it's Android, and as has become glaringly | obvious, Chrome. They shouldn't be allowed to run a | browser. | | The DOJ needs to stamp out this anti-competitive, anti- | consumer behavior. | | You can "protect" consumers with a permissions model and | malware signature warnlist regardless of whether you | enforce a store. Microsoft does it. Microsoft is the only | company playing fairly. | | ([1] And no, this doesn't apply to game consoles. They're | toys with lots of alternatives. You don't do business, | banking, dating, note taking, drawing, stock trading, etc. | on them.) | lotsofpulp wrote: | > You can "protect" consumers with a permissions model | and malware signature warnlist regardless of whether you | enforce a store. | | I'll believe it when I see an alternative to iOS devices | that my dad can't get malware on and only need a few | seconds to fix by uninstalling an app or power cycling | the device. | anoncake wrote: | > You don't do business, banking, dating, note taking, | drawing, stock trading, etc. on them.) | | Because it's artificially made impossible. No computer | should be artificially restricted - let's not keep any | loopholes open for no reason. | ncann wrote: | Even as a casual Android dev I've noticed it becoming more | and more restrictive over the years, from restricting apps | from reading storage, to restring apps from accessing | clipboard, to restring apps from running in background, and a | ton of other things all in the name of protecting customer. | Every time I update to a new phone with a new Android version | my hobby apps (which only I use, not published anywhere) are | broken in some ways because of this. The end goal of Android | seems to be a closed system like iOS and that makes me sad. | You can make things harder or hard by default but at least | give the power user some choices damn it. | lallysingh wrote: | That's how platforms evolve. First they work to attract | developers, and later they work to reduce abuse. | criddell wrote: | > at least give the power user some choices damn it | | At some point it just doesn't make economic sense to do | that. | stjohnswarts wrote: | That's the way only bean counters should think, not | developers, it should be a problem to solve since it | helps keep us honest and not just a cog in the system. | jabroni_salad wrote: | You can still do things, its just that now the user has to | approve it. Maybe a 'let every app have every permission by | default' checkbox would make you happy but I'm not going to | advocate for it. And you can still sideload an APK without | even having to jailbreak the device. | mattowen_uk wrote: | Re read the parent post. They write hobby apps that they | clearly sideload themselves. They are also right, each | iteration of the SDK takes away another feature of the | device the app can access, regardless of whether you ask | the user, in this instance the author of the app, for | permission. | | The end state is for apps on Android to be either | pointless fluff that basically do nothing useful, or mega | apps written by big corps where the rules don't apply. | Hobbiest coders are not wanted, or accommodated. | ncann wrote: | Exactly. To give an example, I have a dictionary app that | I wrote to facilitate my French learning that runs in the | background and automatically looks up word copied to the | clipboard (e.g. from Play Books or Chrome) and brings up | the definition. Starting with Android 10 or so they | disabled clipboard listener for apps in the background so | the whole functionality is toasted. There is no | permission to enable this "clipboard listener in | background" | austincheney wrote: | Weak. | | The console tab of Chrome's developer tools allow arbitrary | code execution. That example is not a security violation, ergo | arbitrary code execution is potentially but not necessarily a | security violation. | | A valid remediation requires more than just _arbitrary code | execution_ , such as privilege escalation or leaking | containment. | yjftsjthsd-h wrote: | Given the issues that termux has hit, they're certainly moving | that way. | | https://github.com/termux/termux-packages/wiki/Termux-and-An... | pjmlp wrote: | Only because Termux developers refuse to use Java APIs and | don't accept Android isn't a POSIX clone. | higerordermap wrote: | Chill dude. How do I run gcc in java beanshell? | pjmlp wrote: | https://play.google.com/store/apps/details?id=com.aide.ui | nulld3v wrote: | Can you elaborate on how this link is relevant? | yjftsjthsd-h wrote: | Android certainly has an acceptable POSIX component when | it's not artificially broken. | nromiun wrote: | Yep, Termux is the most used app on my phone and I don't know | what I will do when they have to migrate to SDK 29. I will | probably buy another phone and install LineageOS. | negativegate wrote: | This is the first I've heard of Termux and now I'm curious | what you use it for. Like are you SSHing into other | environments? | nromiun wrote: | https://www.passwordstore.org | | Here is a popular CLI app to manage passwords. I use it | on my desktop, laptop and phone. | terseus wrote: | You don't need Termux for that, there are native clients | for Android, I use this one: https://play.google.com/stor | e/apps/details?id=dev.msfjarvis.... | donio wrote: | For me ssh to access my main Emacs session is a big part | of it but I also run some shell scripts and CLI tools and | services written in Go. ssh-ing back into the phone for | file transfer is another important use. | dheera wrote: | SSH, and also when you're on the road and want to write a | simple Python script to process something, or do | something with your sensor data logging. Termux has a | Python API to access sensor data, it has numpy, it has | requests, so you can do a lot. | diogenesjunior wrote: | >I don't know what I will do | | >I will probably buy another phone and install LineageOS | nromiun wrote: | It was just a figure of speech and if you know how Termux | works even a rooted phone is no alternative. (Termux | exposes Android APIs, like camera and GPS.) | femiagbabiaka wrote: | Curious, is the Librem 5 an alternative you would consider? | nromiun wrote: | Sure, it is a good alternative. But I still need a phone | to do some work, like Whatsapp and banking apps (which I | don't think Librem supports). So I am waiting for it to | become stable and a little mature. | femiagbabiaka wrote: | Makes sense! | edrxty wrote: | Does LineageOS provide a workaround for this? | nromiun wrote: | Unfortunately there is no good alternative to Termux (its | Android API). But with a rooted phone you can use chroot | to install a Linux distribution. LineageOS is just a | popular ROM for rooted phones. | edrxty wrote: | I run lineage but I don't typically use my terminal on my | phone unless I'm using it for SSH. I hadn't though of the | chroot angle though. That's rather interesting... | donio wrote: | Once there is no way to run Termux that will be the end of | the line for me and I've been on the Android train since the | G1 days. I am ok with installing it from F-Droid or adb as | long as it remains runnable. (I guess I am in the bargaining | phase) | | I don't think that I am ok with not being able to easily run | my own executables since I rely on running a few Go utilities | in the Termux CLI. | yjftsjthsd-h wrote: | I'm personally planning to replace termux with a full | chroot; my phone is rooted, so all I need is an app to give | me the actual terminal emulator and I'm good. This would be | fine for running the odd Go utility, but is likely to be | insufficient if you're doing anything with the actual | Android API (which termux has been great at). And of | course, in the long term this is just another reason for me | to hope the pinephone gets to prod-ready ASAP:) | suifbwish wrote: | I am curious what root kit you use for rooting your | droid? I've always been hesitant to trust 3rd party kits | like that. | yjftsjthsd-h wrote: | I use magisk; it's open source and reputable. | rhinoceraptor wrote: | Arbitrary code isn't banned on iOS, there isn't anything (yet) | that can create fully fledged apps like Droidscript, but a few | cool apps are: | | - iSH: an Alpine Linux shell environment, powered by an x86 to | ARM JIT emulator | | - Scriptable: an iOS automation tool using Javascript, it can | even integrate with native iOS APIs like photos and calendars, | create native UIs, etc. | | - Pythonista: a Python IDE, you can create 2D games, use it as | a REPL, integrate with native APIs, and much more | | And of course, there are the 1st party apps, Playgrounds and | Shortcuts. | glsdfgkjsklfj wrote: | > Arbitrary code isn't banned on iOS | | It is. | | Even mozilla firefox is banned on the premise that it can run | arbitrary code and yes, that is the official apple instance. | | The fact that they apply it when they see fit and allow other | times, and that it is totally _arbitrary and opaque based on | their own private interests_ , is exactly what everyone with | common sense tried to explain when criticizing the walled | garden. | rhinoceraptor wrote: | Firefox isn't banned, Gecko and SpiderMonkey are. For a few | reasons, Apple doesn't want Blink/V8 demolishing users' | batteries, and they have the excuse that allowing 3rd party | browser engines is a security risk. | mrtranscendence wrote: | My understanding is that what's banned on iOS is not | arbitrary code per se, it's arbitrary code downloaded from | the internet. Code you enter yourself, like in Pythonista, | is just fine. | tomp wrote: | Isn't the problem JITing? Mozilla could ship Firefox, | even with the JS engine, it would simply be unusable | (compared to Safari) because they wouldn't be allowed to | run JIT (only interpreter). | lurkerasdfh8 wrote: | Really? you are you going to defend that point as not | arbitrary? | | If you want to split hair, where would you draw the line? | Should pythonista go out of the way to prevent copy paste | from the browser/email? | | Or should apple, being non-arbitrary, also blocks adobe | PDF reader since it can open PDFs from the web with | javascript just like a browser would do? | danShumway wrote: | > it's arbitrary code downloaded from the internet | | That's a huge caveat though. | | How far does that restriction extend? Can I share or | import Pythonista projects from other people? | | What's the difference between interpreting a file I | downloaded from the Internet and visiting a website? | caleb-allen wrote: | I believe Pythonista is interpreted, not compiled, and | outside of Apple's Swift app you are not able to run | compiled code | Oddskar wrote: | Firefox is in the AppStore. | kmeisthax wrote: | This is actually worse than the full iOS route, because Apple | is likely to at least listen to appeals and implement bright- | line rules between "things the app does" and "things users do". | They ultimately _do_ want to have developer tools on the App | Store and are willing to accommodate them to a point. Even the | "no competing browser engine" thing has a technical | explanation: Apple wants to be able to update that part of your | app without you being involved. | | Google just doesn't care about what your app does until they | start seeing click fraud, upon which they ban your app, delete | your Gmail, and ghost you. They've even done this to paying | GSuite customers, game studios they were working on, and their | own employees' spouses. As far as I can tell, antispam is at | the top of the org chart and can overrule all other layers of | management. I would never trust Google with anything I can't | backup or migrate to another service. | clownpenis_fart wrote: | Classifying javascript code execution as malware makes sense | Decabytes wrote: | I feel like we see these stories more and more often. Where an | App is removed from an App store for nebulous reasons. I feel for | the developers. This is their lively hood. | | I would also like to stress that this is why we should give more | effort to alternative platforms, even if they are "worse than the | current offerings". For example I don't see people jumping ship | off of YouTube and managing their own PeerTube instances anytime | soon, but it is sooo important that something like that exists, | and it should be looked at by people making content on YouTube | more seriously. | tobyjsullivan wrote: | I have no prior knowledge of Droidscript or even android | development. I did, however, manage to find this page | https://symdstools.github.io/Docs/docs/app/CreateAdView.htm | | This presents a component which Droidscript developers can use to | display AdMob ads in their apps. AdMob appears to be a Google | property. | | Some interesting quotes: | | > The AdView shows advertisement banners from the popular AdMob | platform. | | > Ads are not touchable when running in the DroidScript IDE. | | So there's a confirmed experience where actual ads are displayed | in a non-standard way? Any guesses if this violates Google's ad | fraud policy? | | > Warning: Don't repeatedly click on your own ads unless you are | using a valid testId, or Google may suspend your Admob account! | | So it's the responsibility of individual users to correctly | configure their ads to avoid committing click fraud (accidental | or otherwise). | | I can see how Google might come to the conclusion that | Droidscript has built a platform for committing click fraud, | whether that's their intention or not. | | This seems incongruent with the wording in the original post: | | > they ask you for a "complete analysis of your traffic or other | reasons that may have led to invalid activity in your appeal". | Well, we had no idea what could have caused this and couldn't | think of anything we could do | | Really? No idea? | | Edit to add: I get that there's a larger debate here around the | general fight over device ownership and access to general purpose | computing. I'm side-stepping that because I don't have much to | add. What I do believe is that this particular piece is hardly | concrete enough to bolster the case against Google. | EricE wrote: | Neither Google or Apple have demonstrated they deserve continued | trust to be the sole gatekeepers of their respective platforms :( | Zillion wrote: | I can think of at least two other apps that do this--which I | won't name in case Google is watching. 'Not to mention Termux, | which I can't live without. Why is Droidscript being singled out? | | Off topic: I won't be buying a new phone for a looong time so I | can keep Termux's functionality. | freeFromGoog wrote: | This thread got me to try fdroid and bromite. | | Highly recommend. | | I'm ready for the detachment from Google. This is why I got an | Android. | luismedinautah wrote: | Test1 ___________________________________________________________________ (page generated 2021-04-27 23:00 UTC)