It is another requirement of Google's, where all developers must be registered to them and apps must be signed by them and anything that isn't will be blocked.
Delve into System Settings, find Developer Options
Tap the build number seven times to enable Developer Mode
Dismiss scare screens about coercion
Enter your PIN
Restart the device
Wait 24 hours
Come back, dismiss more scare screens
Pick "allow temporarily" (7 days) or "allow indefinitely"
Confirm, again, that you understand "the risks"
Nine steps. A mandatory 24-hour cooling-off period. For installing
software on a device you own.(Or at least, that's their take on this. You can choose to read between the lines, or not, as to whether they have other motivations also.)
But for 1 person wanting to run their own software there are hundreds of people with the potential to install malware/crapware/etc
That is, fine by me. I can wait for 24 hours once in a few years when I acquire a new mobile phone.
Look, I can't locally install a web extension I wrote on an open-source Firefox browser, because security. I have to install a Developer Edition, or get the extension reviewed and signed by Mozilla, for the very same reasons of thwarting scammers. Is this stifling, or is it making my browser not mine? Is anybody making a big deal out of that?
The world we inhabit is not always friendly. It has a ton of determined and sophisticated bad actors, and a lot of people with less technical savvy than you and me. We have to deal with that, instead of being cantankerous.
Because as a reader to this forum, you're probably more tech savvy that the average person. Moreover this type of scam seems to be more common in Asia than the West, see:
https://cdn.economistdatateam.com/videos/cyber-scams/fake-vi...
https://www.economist.com/interactive/asia/2026/04/10/scam-i...
They convince users to download a "government app", grant it accessibility permissions, then use that to take over their phone and drain their bank accounts.
>Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Where do you draw the line? If you whitelist f-droid, do you have to whitelist third party f-droid repos too? What about other app "stores" like obtanium? Moreover f-droid being less of a "cesspool" is likely because its reach is smaller, not because it has better moderation.
https://privsec.dev/posts/android/f-droid-security-issues/
And most Android banking malware is distributed through unsafe sideload installs (as opposed to much safer Gatekeeper-style installs, which is what is coming) and are fed to victims through complex attacks involving obtaining a victim's personal information and calling them while credibly pretending to be a local authority or a bank representative. You can read about this wherever you get news about cyber crime.
This is a scourge in South East Asia and Google can do some good here. The only cost is whining from non-technical people. Everyone else will go pay $25 or whatever and sign their app.
But it's limited to a one-time action, not encumbered by additional papers or payment. I don't foresee any trouble using F-Droid (which I use a lot) after I have dismissed the scary screens and confirmed that I know what I'm doing.
Automated bans can be an issue, but that's an edge case. Google already had the functionality to 'revoke' an app if ordered to do so by a legal authority.
It is much more important to make a real world attack - something that is draining wallets of ordinary people across Thailand/Brazil/SEA in general - harder to achieve. One thing is a political goal of some people in the west, the other is an ordinary person not having the money to feed themselves because a scammer stole it all.
Google doesn't have the ability to change the way banking apps work with regards to transferring money from one account to another in Malaysia/Brazil/Thailand. That would be a matter for the national Governments. This is the best approach available.
Users who use F-Droid are already not as lay. If you distribute stuff that Play Store would ban, your users are likely not as lay, too.
Yes, it's inconvenient, but I see it as a good-faith attempt to limit exposure of lay users to scams, not some power grab.
Somehow bank vaults and heroin storage boxes don’t take this long.
Worse: this flow runs entirely through Google Play Services, not the Android OS. Google can change it, tighten it, or kill it at any time, with no OS update required and no consent needed.
And as of today, it hasn't shipped in any beta, preview, or canary build.
It exists only as a blog post and some mockups.The malware issue that the flow is designed to mitigate is a very real problem. Perhaps there is a better way, but it's not immediately clear what that is.
I wouldn't consider this "a few buttons", it's enough to turn off the less savvy users
> every Android app developer must register centrally with Google before their software can be installed on any device. Not just Play Store apps: all apps.
> Registration requires:
> Paying a fee to Google
> Agreeing to Google's Terms and Conditions
> Surrendering your government-issued identification
> Providing evidence of your private signing key
> Listing all current and all future application identifiers
Google is not an entity you can can trust with this.
Stock GMS Android was never yours, you only had access to basic permissions, privileged/signature permissions were only accessible to Google/vendors anyway.
I'm no slouch either, I've developed for android for almost a decade.
I'm not disagreeing with ya, just adding a comment so folks are aware that the "Graphene just works" crowd is sometimes a bit hyperbolic.
(idle interest; I use Graphene, but few apps, and everything worked so far)
After that? I only had one application fail due to Graphene's memory allocator. No weird bugs, no need to restart like some siblings are commenting. As close to the "Graphene just works" as it could be.
However, I'm not heavy into Google's ecosystem. Google Pay will not work but I'm not a user, some Google features won't tell you why they don't work but I'm not using them either (Quick Share for instance), none of my apps require the highest Play Integrity level. Maybe the person who say this are a specific type of person where use-cases don't overlap with what breaks on Graphene.
Firefox + stock keyboard stopped properly working three days ago, it's back to normal now. No idea what that was about. Restarting was the only way I found to get things working again during that period.
While on the stock Android keyboard, it is clear that the Google one is much better at correcting my taps than the stock one. My typo count has gone up significantly.
Every several weeks the mobile connectivity stops working and nothing short of a restart will get it working again. This might be a bad interaction of the very weird way Google Fi works with a secondary user account.
I've encountered one case of the phone shutting itself off to install an update overnight and not turning on, making me miss my morning alarm.
In the US, there's no way to side step the lack of tap to pay.
Getting apps to work with Android Auto requires some finessing.
These are the things I've encountered in the last 2 months of using Graphene.
Aside from all of that, I really like everything else about the OS. As it stands, it does lacks polish when straying outside of the common path. Not using a secondary account, nor Google Fi on an eSIM, and using the stock browser would likely improve my experience significantly.
I haven't encountered an app that wouldn't work yet (but have installed play services as I do want to use Android Auto).
I would still recommend Grapheme for normal-ish users, as long as you don't go "paranoid mode" with secondary accounts and skipping play services or don't want to use the phone for tons of things beyond phone calls and web browsing. The base experience is that much calmer than stock Android on Pixel.
Dating… well, the goal for most people is to exit the dating pool anyway.
Social media is bad.
Messaging apps will continue working.
Banking apps made by reasonable companies will also. In days of banking being competitive and rather open with many providers offering good value, it's so easy to switch providers. Granted I am relatively poor and keep my banking simple, but I doubt card providers want to increase friction either. After Revolut started requiring >basic integrity it took me appx 1 day to switch to n26 and nothing of value was lost.
Not being able to use socialmedia, e-commerce, and dating apps sounds great.
I really hated my Pixel 7 Pro, but I think that was bad hardware and not Android's fault, and since buying my iPhone 13 I have bought my Thinkpad and have been unbelievably impressed with Lenovo hardware (especially since the last Android phone that I bought that I actually liked was my Moto X3).
It would be great if Graphene ends up getting support from at least one first party, because at that point I think there's at least a chance it won't screw with banking apps and the like.
But beyond whether the OS is good or not, "fuck you, I've got mine" is not only sad as a position in general, it is also a bad tactical choice, because over long enough timeframes you can't assure that you can keep yours if others are deprived.
Borrowed time. I hope not, but that's the prevailing feeling.
It's quite problematic that someone can currently upload a package name belonging to another organization to the Play Store and that should have been stopped years ago since it was used in many cases for scamming and squatting on package names clearly belonging to others. Package names are meant to start with a reverse domain belonging to the owner such as app.grapheneos for our grapheneos.app domain. They could enforce this based on domains authorizing usage without enforcing ID verification and that's what we would have proposed.
This is one of the ways F-Droid has ignored standard best practices including security practices in a way that's already causing problems but is now a massive issue for them. If they had started doing things properly many years ago when it was first brought up, then they'd be in a much better situation today. They're going to need to deal with this by renaming all their package names to org.fdroid. to avoid issues with the proposed changes. This is problematic because existing users will stop getting updates. It's better to use a prefix than a suffix where a developer could end up changing their mind about whether it makes sense resulting in conflict over the name, which is fair since they still own it if it's their reverse domain.
I'd like to see, if it can be found, some anecdotes about the nuts and bolts of writing any kind of material intended to persuade in this way. How do they a/b test the formatting and so on.
Why is this acceptable for phones but would not for the case above?
I know a lot of people don't care, and that's ok, but we should root for an open choice for the users.
This measure is about making it harder to pull off a specific type of scam that is plaguing South East Asia. No conspiracy.
For actual information on the purpose of this change rather than conspiracies, I refer you to https://android-developers.googleblog.com/2026/03/android-de...
Since the victims of these scams do not typically own a traditional computer/cannot be pressured to get to one quickly, ADB will remain a thing.
Complex, multi-day pig butchering stuff is not what Google is going after here or would have any hope to defeat. But they can deal with banking malware.
This is why I've stuck with Android for the past 15 years.
In principle I could never reward Apple with my business for having originated and normalized this.
And pragmatically, I'd like to hold on for as long as I can to the next set of rights that Apple will take away five years before Google does.
Was it convenient? No, of course not, but it's been an option for quite awhile; to me the biggest advantage for Android was the fact that it was relatively easy to sideload apps.
To be clear, I don't like that Google is doing this, and I think arguing that it's for security is a half-truth at best. I could make my phone 100% "secure" by pointing a nail through the NAND chip; no one is getting into my phone after that.
With the advent of vibe coding, a part of me wonders how hard it would be to hack together my own phone OS with a Raspberry Pi or something and a USB SIM card reader. Realistically probably too much work for me, but a man can dream.
I would say keep the faith as I'm in the same boat and have made my choice for privacy and control. Giving up everything when it could very well be a minor setback is worth holding the line.
So far, I have been utterly incapable of getting my iPad to do anything remotely similar. It can run syncthing, technically, but not in the background. Apps don't have a shared filesystem structure, so it's difficult to get anything else set up to "save within my shared folder" in a way that would work, and that disregards that the syncing cannot occur when anything else is open. There's all sorts of cloud backup options, but those require the internet and even when they're working, there's this awkward import/export flow that adds friction to the whole dance.
In isolation this would just be a small papercut, I guess, but these sorts of limitations are all over iOS. It's just terribly hostile to anyone not fully committed to the Cloud-first, Apple-hardware ecosystem. Android doesn't care, and doesn't have to care, because it lets me run the software I want. It's a really small set of programs too, at the end of the day. (Firefox with real extensions is the other one.)
That said; iPhone is my main phone, has been for a decade or more. But I deeply appreciate what you can do with an android.
If anything, I'd like more openness in Android. For instance, apps should not have any control over what data I can back up; I should be able to back up every aspect of every app, restore it to a new phone, and apps should not be allowed to care.
If Android isn't open, we lose the last open mobile operating system, which will have immeasurable negative effects on computing as a whole. People will need permission from either Apple or Google to create any mobile program. If you don't fit into their neat little system, you don't get permission. If I hadn't been able to publish my app for another 2 years I probably would've shelved it, decided it was stupid, forgot about it, got busy with other things, and never published it.
Millions? Are you sure?
Even so, Android has billions of users who want secure app management by default.
2 weeks ago https://news.ycombinator.com/item?id=47778274
With so few users, many fewer developers will release apps that don't comply with Google's requirements. Then the value of opting out will decline significantly, which will reduce the number of people doing it, which will reduce the number of apps released ...
How do corporate users distribute custom apps on iPhones? Must they distribute them via Apple's store or is there some corporate mode, maybe involving X.509 certs and device management, that enables large-scale professional users to sideload?
I can't see where one can opt-out of this new behavior and into the existing behavior, only a description of the new behavior's bypass (which is not the same thing at all)
> easy to bypass the cooling-off period with ADB
I don't think this is a reasonable use of the term "easy". I should be able to give my non-technical friend an apk and they can use it right then, with the one "are you very sure" screen.
I now know zero people I don't think should use linux, and people I know seems to run quite a gamut of technical know-how compared to most other technical folks I know
I don't understand this, the ability to bypass new behavior in settings menus is basically the defenition of a new feature having an opt-out. Can you elaborate?
The person who accused you of astroturfing is likely not a person at all. More likely, it was Kimi.
Unless people are paid to do it vs. volunteer
You see, the only value that Android really offered me was the ability to run my own code on my own device. Since they are taking that way that just makes it a crappier shadow of the vastly superior apple experience. And, as it turns out, ios is less restrictive than it was 18 years ago when I left them for Android!
Android will still have the ability to install non-google-distributed programs. The problem is the ominous momentum, but it is still more open than the apple alternative
From my perspective iOS is better than Android in a number of ways but Android always won out overall for me, in large part because of the freedom regarding software. Remove that freedom from the equation, I think the balance tips towards iOS.
I'm in no way defending Google here, just pointing out you're going from bad to worse and think it's a good thing.
After switching away from GrapheneOS to iOS after RCS stopped working for me, I can safely say my experience has been the opposite. The camera is the only thing better for me on iOS - everything else is buggier and worse. A few of my favorites:
1. Safari is buggy as hell, and requires installing apps to run things like ad blockers.
2. The settings are ALL over the place and very hard to navigate
3. The gestures are clunky - often have to try a couple times to get one of the settings quick menus to drop down
4. Why is the date not displayed at the top of the screen with the time outside of the lock screen?
5. The pin unlock is horribly broken - I have to slow way down to use it compared to Android.
6. Apple maps is hot garbage. I had to install Google Maps anyway to get decent performance.
7. The handling of audio devices seems intentionally malicious - like if I call someone from my car through car play, it shouldn't send the audio out through the phone earpiece. If a call begins with phone earpiece audio and is underway, it shouldn't switch several seconds in to bluetooth headset half a house.
I'm going back for my next phone.
What we actually need are (open) alternatives, not to double down on Google's ecosystem and Google-controlled OS. We need to control the device we bought and be able to run whatever we wish on it. Just like we do on PCs.
I keed I keed!
But unfortunately there really isn't a great alternative. I painfully attempted to use Ubuntu Touch and its always the same thing. The lack of available apps, the lack of app development in general for the platform was pretty eye opening. Add in having it only run on really old devices isn't much help either. Its promising, but a long ways off even from some of the non-standard roms I've used like Evolution X which is a Lineage fork.
If this really does cripple a lot of the known custom roms out there without any solid alternatives other than Graphene? It could really be a huge turning point.
On the other hand, malware which coaxes normies into installing unverified apks, is an undeniable fact of life. It's nice to be pontificating as a power user who has never been phished or whose devices never became botnet zombies in their life.
On yet another hand, higher-end malware (made by those who can afford the store fees) is there on the freaking play store and app store, so, I guess, shrug
How is this not the same walled garden approach apple was forced to change?
Read every word on the linked page and then come back if you still do not understand.
Throw a pinch of salt over your left (wait, no ... right) shoulder. Spin around clockwise 3 times. Read the Rosary twice.
AHA! So, they are allowing users to keep doing what they want.
A big reason why a non-locked-down OS is absolutely vital to me is that sometimes I (reluctantly) have to travel to places where I need to install obscure VPN/proxy services to be able to access international internet. Most services present in app stores have been banned for years now, and the government sometimes even succeeds in making Apple/Google remove the more effective ones from the stores.
smalltorch•1h ago
jnovek•1h ago
You can’t use stuff like banking apps on a modified device and losing access to normal android devices would be a big blow to the momentum of the F-Droid community. GrapheneOS might not be a big enough community to sustain work on the projects delivered by F-Droid.
zb3•1h ago
For me it seems the opposite - if these "normal" (GMS spyware) Android devices lose the access to F-Droid and it will only be possible to install malware/adware from Google Play, then maybe that will push more people to value unlocking the bootloader..
gruez•1h ago
IME such apps are few and far between. The most trouble I ran into is play store refusing to show apps because they claim the app isn't compatible with the device, but that can be worked around with aurora store.
Sayrus•50m ago
bakugo•33m ago
And Google has an answer to the "just install the APK from somewhere else" workaround, too. Many apps now integrate a check that prevents them from running if they're not properly linked to the Play Store.
phreack•52m ago
zb3•41m ago
GrapheneOS will sadly stay unaffordable for many.