Google is Adding Anti-Tampering DRM To Android Apps in the Play Store

Google has introduced a small change to Play Store apps that could significantly protect several Android users. From a report: Earlier this week, Google quietly rolled out a feature that adds a string of metadata to all APK files (that's the file type for Android apps) when they are signed by the developer. You can't install an application that hasn't been signed during its final build, so that means that all apps built using the latest APK Signature Scheme will have a nice little chunk of DRM built into them. And eventually, your phone will run a version of Android that won't be able to install apps without it.

Good idea

[SuperKendall]

The article is dismissive of the direction this is heading, but in a world where 99% of the people using a mobile device simply have no ability to manage digital security, you just can't continue to allow people to install something from anywhere.

As a technical user I absolutely want there to be way more open options where people with technical ability have a lot of freedom as to what they can do, and I'm sure some Android devices will continue to provide that. But the world also absolutely needs Apple-level closed off system like the App Store that protects people who cannot protect themselves from remote exploitation and harm.

Re: Good idea

This doesn't do any of that. It just makes it more difficult to install an app that the original developer hasn't signed off on.

Re:Good idea

[b0s0z0ku]

So hide the ability to install unsigned or non-Play-Store apps, but don't prevent it entirely. Hiding it in Developer Options after a big, fat disclaimer should be enough, frankly.

And no, the world doesn't need more Crapple-style paternalism where a bunch of do-gooding censoring pricks in Cupertino decide which apps are good enough for users to run. It's not only safety-based -- Apple has been known to ban political games or things which they find to be in poor taste.

Re:Good idea

[WaffleMonster]

The article is dismissive of the direction this is heading, but in a world where 99% of the people using a mobile device simply have no ability to manage digital security, you just can't continue to allow people to install something from anywhere.

Of course you can. It's done by creating operating systems not full of swiss cheese escalation vulnerabilities and giving users meaningful access controls that never devolve into take it or leave it demands of software.

Google refuses because it eats into profits of themselves and app developers. God forbid a user is able to feed fake location, address book and phone data into malware they downloaded from Google play store or restrict access to resources... App developers would riot. Owning users is the business model of the everything must be FREE app store market.

As a technical user I absolutely want there to be way more open options where people with technical ability have a lot of freedom as to what they can do, and I'm sure some Android devices will continue to provide that.

Damn straight!! The peasant class doesn't deserve no stinking freedom. They can't handle it. All Hail King Alphabet ruler of all teh Intertubes.

But the world also absolutely needs Apple-level closed off system like the App Store that protects people who cannot protect themselves from remote exploitation and harm.

Good grief, let me know when all the malware in the Google app store is gone. Really perverse aspect of these arguments is the failure to understand app stores themselves are responsible for creating "race to the bottom" market incentive that only fuels development of malware and resulting 0wnage of millions of users.

This is nothing more than being as evil as possible for financial gain while blurting out "SECURITY" as justification for everything. No different than Facebook saying it needs to do cross site tracking of everyone everywhere in order to protect Facebook.

The ONLY problem is proliferation of defective operating system jails and associated access controls.

Re: Good idea

[bluelip]

It's not about security. Google is doing this to lock-in users to their ecosystem. They realize users are starting to look elsewhere for software because of the privacy issues. This step is about adding another course to the wall around the garden rather than protecting any user.

Re:Good idea

[Khyber]

"It's done by creating operating systems not full of swiss cheese escalation vulnerabilities"

Well, if people could fucking master the first three layers of OSI, the additional 4 afterwards wouldn't be a fucking requirement tacked on as an afterthought, and would be totally unnecessary.

Re:Good idea

in a world where 99% of the people using a mobile device simply have no ability to manage digital security, you just can't continue to allow these ignorant people to operate mobile devices without a license..

ftfy

Re: Good idea

[BronsCon]

Well if they do it, they lose the one advantage they have over iOS.

Re:Good idea

[mschwanke97402]

But the world also absolutely needs Apple-level closed off system like the App Store that protects people who cannot protect themselves from remote exploitation and harm.

Agree completely.

This current proposal might not get us there by itself but it looks like Google is headed in the right direction.

Re:Good idea

[phantomfive]

Of course you can. It's done by creating operating systems not full of swiss cheese escalation vulnerabilities and giving users meaningful access controls that never devolve into take it or leave it demands of software.

I want to point out that Linux is full of privilege escalation exploits (as is every other OS.....even OpenBSD only brags about remote exploits, not the local ones), so this isn't really an option right now.

Re:Good idea

[phantomfive]

Well, if people could fucking master the first three layers of OSI, the additional 4 afterwards wouldn't be a fucking requirement tacked on as an afterthought, and would be totally unnecessary.

ok, I think you have an interesting point here, but it's not really clear what you are saying. Could you please expand it a bit?

Re:Good idea

[mschwanke97402]

in a world where 99% of the people using a mobile device simply have no ability to manage digital security, you just can't continue to allow these ignorant people to operate mobile devices without a license..

ftfy

I think I might prefer ignorant people to arrogant. Anyway, it definitely should be possible for kids to Pokemon and mlilenials to Instagram with portable networked devices without worrying about how it all works. Smartphones have become, and should be, ubiquitous nearly world-wide because of their simplicity. You want complexity, go back to your PC.

Re:Good idea

[swillden]

The article is dismissive of the direction this is heading, but in a world where 99% of the people using a mobile device simply have no ability to manage digital security, you just can't continue to allow people to install something from anywhere.

Of course you can. It's done by creating operating systems not full of swiss cheese escalation vulnerabilities

So, step one is to do what no one has ever managed to do in the history of widely-used consumer operating systems. You have an extraordinarily high opinion of Google's engineers. Thank you, but we're not that good. If you are, please send me your resume.

and giving users meaningful access controls that never devolve into take it or leave it demands of software.

That was done in Android 6.0, in 2015. Unfortunately, Android fragmentation means that it's not yet possible to force all apps to use it, because there are still too many older OS versions in active use. I think we should be able to do that in the next year or two, but that's only my guess, and it's not my area of expertise.

God forbid a user is able to feed fake location, address book and phone data

For address book data, I think the better solution is not to give apps access to the address book at all. Instead, give them a system API that allows them to request that the system throw up an address selection dialog, and then give them only the data the user chose. Unfortunately, that would be a huge change for the app ecosystem, so it would have to be done carefully, and even when done it would take time to roll out and convince app developers to adopt it. Also, users won't want to be restricted to only default address book management tools, so we'll still have to provide a permission that allows unlimited access, though hardly any of the apps that have address book access now would need it under this notional model.

As for fake data... I don't know. There's a lot of debate about that. I don't think anyone is philosophically opposed (and no one cares about the alleged financial considerations that you're so certain drive us), but no one really believes it will work, either. It'll just produce an arms race between fake data generators and fake data detectors. And it would also make spoofing of location-based games, etc., completely trivial, which negatively impacts the users of those games, as well as the developers. All in all, it seems like a lot of effort for little net gain, if any.

App developers would riot. Owning users is the business model of the everything must be FREE app store market.

Overstated, but not fundamentally wrong. It definitely is true that the Android team wants to serve developers as well as users, because a platform has to have both to exist. And device makers, too.

Damn straight!! The peasant class doesn't deserve no stinking freedom. They can't handle it. All Hail King Alphabet ruler of all teh Intertubes.

This is isn't the Android team's approach or perspective at all. There's a reason that Nexus and PIxel devices have always had unlockable bootloaders. It's because Google believes that technical users should have control of their devices. With Project Treble new devices are now in a state where you can flash a custom AOSP build onto any device you can unlock, without needing to worry about vendor binaries... it's taken a huge amount of work to get to that point, and while most of the reason for doing it is to fix the upgradability problem (and resulting fragmentation problem), making life easy for modders and makers of custom ROMs is part of it, too.

I host a regular conference call for talking to key players in the modding and rooting community, which the specific goal of helping my team to understand how we should best design to make their lives easier. I love to see technical users doing interesting thi

Re: Good idea

[Joce640k]

Maybe so but this will only protect "several" Android users and I'm guessing we're not on the list.

Re:Good idea

[AmiMoJo]

You can still install apps from outside the Play store, it's just that they must be signed as part of the final build process. Most are already anyway, and it's easy to add to your build process.

The upshot of requiring signing is that apps can't be tampered with. We have seen recently some fake versions of popular apps like WhatsApp and Pokemon and Fortnight, which are the official ones with added malware. With the signing requirement it won't be possible to add the malware, because the signature check will then fail.

They could re-sign with their own cert, but then it's very easy for Google to detect and block. Easier than trying to detect obfuscated malware, for example.

Re:Good idea

[AmiMoJo]

It's done by creating operating systems not full of swiss cheese escalation vulnerabilities

People who think that's even possible are the reason why we have operating systems full of Swiss cheese escalation vulnerabilities.

Security that relies on one layer, in this case the OS being coded securely, is not secure at all. Even if you were the first person in history to code a completely secure OS, someone would just trick the user into installing some crap or use a hardware flaw like RowHammer or Meltdown to bypass your protections.

The only solution is defence in depth. That's what Android has, it's what iOS and Windows have, it's what Linux has now.

Re:Good idea

[mjwx]

So hide the ability to install unsigned or non-Play-Store apps, but don't prevent it entirely. Hiding it in Developer Options after a big, fat disclaimer should be enough, frankly.

I believe this already exists and is off by default... At least in vanilla Android.

And no, the world doesn't need more Crapple-style paternalism where a bunch of do-gooding censoring pricks in Cupertino decide which apps are good enough for users to run. It's not only safety-based -- Apple has been known to ban political games or things which they find to be in poor taste.

I agree and I dont think this move is intended to implement an Apple style of 1984 content controls. Its just adding a system of verifying an applications authenticity.

Re:Good idea

[Excelcia]

I'm not sure what I find more frightening. The fact that you are writing, ostensibly seriously, about reducing freedom being a good thing all around, or that four people modded that up. That's seriously disturbing, especially here.

DRM doesn't add end user security. It only adds central control where a single entity, one who's end motivation is not security but profit, has 100% of the decision making capability of what can end up on your device. Software-as-a-service, mandatory remote updates, and walled-garden DRM are the holy triumvirate of a loss of local decision making authority and corporate and state control. In an age where computing devices are becoming more and more not just a luxury but an absolute necessity, where computing devices are integrated into our lives, do you really think it's a a good idea to cede our freedoms like that? The more integrated electronic devices become, the more important it becomes to assert the supremacy of the user's decision.

Re:Good idea

[Khyber]

https://blog.finjan.com/applic...

Re:Good idea

[barc0001]

> Hiding it in Developer Options after a big, fat disclaimer should be enough, frankly.

You'd think, but then you haven't dealt with some end users. A percentage of them would happily follow a tutorial on disabling that in order to install this "cool new book reader/movie streamer/whatever" if asked by a popup.

As for the disclaimer, I used to work at a software company for a packaged software product. The type of database the application used destroyed records immediately so unless you had a backup, the records were GONE. In order to prevent people from accidentally deleting records in this application, when you clicked delete or hit the delete key on the keyboard, the application would pop a dialog asking to confirm that you were sure you wanted to delete the selected record(s). If the user hit yes, a second bigger more scary looking dialog popped up and said effectively "This is irreversible and the records will be fucking GONE GONE GONE. Are you REALLY SURE?" *and* we moved the default focus on the button from 'yes' in the first dialog to 'no' for the second, so if someone just mindlessly rammed the enter key twice, it would back out of the delete instead of killing the records. You want to guess how many calls a day we got from distraught users frantic about restoring deleted records? A lot.

Re:Good idea

[datavirtue]

Human beings are incapable of building an operating system or any significant software without being full of swiss cheese escalation vulnerabilities and bugs.

Re:Good idea

[datavirtue]

Application security...if done properly would not need to fall back on the lower layers of the OSI model to pick up the slack you dumb monkey.

Re:Good idea

[tepples]

Define "gone". If your definition is "zero", then no app distribution channel of any size will ever reach it. Google Play has extremely low rates of PHA (potentially-harmful apps -- a somewhat broader category than "malware") now, and it's being driven down year by year.

I'd start by defining "gone" as the probability of encountering a PHA on Google Play Store being less than that on Apple's App Store during the same month.

Re:Good idea

[swillden]

Define "gone". If your definition is "zero", then no app distribution channel of any size will ever reach it. Google Play has extremely low rates of PHA (potentially-harmful apps -- a somewhat broader category than "malware") now, and it's being driven down year by year.

I'd start by defining "gone" as the probability of encountering a PHA on Google Play Store being less than that on Apple's App Store during the same month.

Do you have evidence that it is not? Serious question. AFAIK, both stores regularly have PHA, but I'm not aware of any good anlayses of the relative frequency.

How will sideloading work?

[b0s0z0ku]

Right now, you can sideload by clicking through a disclaimer. Will you still be allowed to sideload unsigned apps (say, for your own testing)?

What about installing an older version of an app if your version of Android doesn't support the new one? Will this be used to enforce regional restrictions (i.e. Facebook Messenger Lite is much less intrusive than the full Messenger, but isn't available in the US Play Store)?

Re:How will sideloading work?

google is trying to wall the garden in like apple (has mostly been able to do).

soon only approved and signed software of any kind will run.

rooting your device will be a thing of the past.

side loading will be a thing of the past.

as google pushes more for delivering updates themselves instead of relying on hardware or carrier partners, expect the (forced upon you) updates to kill any hacking or rooting you've done or 'unauthorized' apps you've managed to install.

having any control of any kind over YOUR hardware will be over.

developers will probably be able to purchase a dev kit to run apps they, and only they, are working on.

expect a similar treatment for chrome browser and chromebooks.

Re:How will sideloading work?

[110010001000]

Expect a similar treatment for ALL COMPUTERS and devices connected to the Internet. Don't think it will happen? Just wait.

Yes, only "several" will be protected

[macraig]

And the rest of us must suffer the mighty fist of dictatorial oppression?

Re:Yes, only "several" will be protected

[b0s0z0ku]

The problem is when all of the large device makers end up cramming this filth down their users' gullets.

APK Signature Scheme?

[b0s0z0ku]

APK Signature Scheme = A.S.S. Not the best choice of acronym.

Re:APK Signature Scheme?

[usu4rio]

There's nothing to worry about. After all Google's motto is "don't be evil" ... oh wait!

Re:APK Signature Scheme?

[BronsCon]

That name is just to assure us that there will be a giant hole in the middle of it.

Nah

[rossdee]

I don't buy Apps from Google Play, I buy them from Amazon.

Re: Nah

[Bing+Tsher+E]

To expand on your message since there are people not aware of the details, you can get a brand new Android device, or factory reset an old one, and never ever set up a Google account on it.

If you want an alternative app store, configure it to load apps from 'unknown sources' and download the Amazon app store (or others that are available) which is an installable apk file. Then you log in with your amazon account and can install most of the important Android apps without ever touching Google's servers with a logged in account.

There are lots of other places to download apk installers as well, to run without an 'app store' at all. None of this is new to a lot of slashdotters, but it's not common knowledge to the world at large.

I'll ask the obvious...

[110010001000]

I seem to remember that developers need to sign their apps already (and have for many years). What am I missing?

Re:I'll ask the obvious...

[b0s0z0ku]

What if the metadata tells the app not to install on (say) devices outside of certain countries? Would region-restricting be DRM in your book?

Re:I'll ask the obvious...

May be abused? "MAY"?!

The entire purpose of this is to lock you in and prevent you from changing anything that google does not want you to change.

Re:I'll ask the obvious...

[complete+loony]

Android used to use jar signing, which adds a file of signatures to the zip file. Then they build their v2 signing process, which adds a new block to the zip file between the compressed contents and the directory listing, signing the file hash of the rest of the zip file, directory listings and everything.

Now when you publish to the play store, google are inserting another signature into this v2 signature data block, indicating that this apk was published.

AFAIK this will simply extend their default "play store apk's only" detection to sideloaded files.

Of course it opens the possibility of sideloading an old vulnerable version of an apk...

Re:I'll ask the obvious...

[complete+loony]

Another probably relevant thought. Google recently added the capability to upload your developer signing key, so they can produce apk's with irrelevant assets stripped out. I assume that this feature causes problems for people trying to share apk's between phones. Hence the need to add some extra data to a stripped apk to test compatibility.

Re: AOSP is, to be precise. But you are right.

If you have to explain your *hilarious* wordplay it's already failed.

Re: AOSP is, to be precise. But you are right.

[b0s0z0ku]

It's not meant to be hilarious -- it's meant to be an expression of utter contempt towards the "Cloud" and the corporate scum who are attempting to nudge users to give them their personal data.

Not DRM

[Luthair]

Adding an origin signature simply helps prevent the spread of malware as a device can verify that it is a legitimate package instead of some compromised apk. This has been an issue for a long time even in the west where users have internet access (fortnite apk!1!) and has been much more problematic where people have limited and expensive internet.

Re:Not DRM

Except this is pointless unless your intent is to require that all signers be pre-approved in the future. Otherwise it's just checking that the signature that's on the apk data, matches a key that was also in the same apk. See the part about the digests must match the signers in the apk here. Also, nice chopping up of the ZIP format again, that's not going to cause parsing bugs anywhere now is it?

Malware still spreads with this, the only difference is that it's not able to claim itself as another package. Which malware authors already can't do easily, and wouldn't want to anyway. Less the Play Store "updates" the malware infested app with the legitimate one thus removing the malware.

As I already said, the only thing this is good for is a future requirement of the signer's identity being pre-approved before installation. Such a scheme is ripe for abuse, I can easily see more repressive regimes around the world mandating only their lists be allowed. Nevermind US carriers wanting to demand the same to help lock in profits. I.e. No more tethering app for you. It is DRM, it's just not fully baked yet.

Re:Not DRM

[Luthair]

Except this is pointless unless your intent is to require that all signers be pre-approved in the future. Otherwise it's just checking that the signature that's on the apk data, matches a key that was also in the same apk. See the part about the digests must match the signers in the apk here. [android.com]

If you read their blog post it seems clear that the signature will come from Google Play itself not some random signer.

Also, nice chopping up of the ZIP format again, that's not going to cause parsing bugs anywhere now is it?

How is that relevant exactly? If someone wants to crack open an APK they can make sure their parser works correctly with the format instead of relying it being similar to a zip.

Now you know your malware is legitimate.

[NextApp]

This does nothing to solve the malware problem on Android, because the malware is being distributed by "legitimate" vendors directly on the Play Store.

I get complaints of full-screen video ads in my ad-free apps from users who have never side-loaded anything. Malicious apps are launching them from the background, which is against the TOS, but technically trivial to do. If they get caught, they either call it a bug or start another company/product-line.

As far I can tell, Google promotes the highest revenue generating apps...so the dirtier the tactics you use, the more you succeed.

The bad apps do take a beating on reviews from legitimate users, but this is worked around by the developers posting massive quantities of fake reviews. It's presently somewhat easy to spot, legit apps will have reviews that are generally 1-3 sentences long, while fraudulent ones will have pages of 1-3 word reviews (often clustered together). Google doesn't seem to care though, as even some of the most popular apps are doing this to counter backlash from ever more ridiculously aggressive in-app advertising.

And then of course there's the problem that the average app today is so invasive of privacy that it would have been deemed outright malware ten years ago.

Re:Now you know your malware is legitimate.

[thsths]

I completely agree. Even generally nice and useful apps are using so many dark patterns that they technically have to called malware. And this is all perfectly "normal".

Re:Now you know your malware is legitimate.

[swillden]

Malicious apps are launching them from the background

If you know of any such apps, please report them.

Re: Now you know your malware is legitimate.

[houghi]

My malware was already on my phone and I can not even remive it. They are all g om Goigle. I do not need, hanhout, gmail, youtube, docs, druve sharing, chrome and all th rest.

Re:Self-fulfilling idio(crac)y!

[Computershack]

The only reason people behave so damn retarded with regard to computers ... and I mean on a level that qualifies as literally mentally disabled ... is because tech firms have treated people like non-independent retards until they were.

No, its because there are millions of people using computers today who just 25 years ago wouldn't have the basic knowledge to even work out how to put the system they'd bought together, let alone how to get online. Once upon a time using a computer required a reasonable amount of technical knowledge or at least an IQ sufficient enough to learn.

Re:Self-fulfilling idio(crac)y!

All you computer geeks who really know your computers, but can't change a tire or design an airplane, please desist from using any mechanical devices. We can't have non-independent retards like you taking advantage of other people's specializations.

Kill switch?

[rsilvergun]

that's why Mozilla started signing apps. It gives them a kill switch in case a plugin author sells their plugin to someone dishonest. There's been a few moderate profile cases of it happening (nothing more than a few hundred thousand users, which sounds like a lot until you realize how many FF users there are).

Re:Kill switch?

[usu4rio]

I trust Mozilla more than Google

Keep turning those screws, Google

[nightfire-unique]

We - the engineers who wrote the software your company uses to generate profit - are watching. Screw us out of our own systems, and we will replace you, as we did those before you.

A new feature came out

[Actually,+I+do+RTFA]

Will you still be allowed to sideload unsigned apps (say, for your own testing)?

Coincidentally google just released a "special internal test build" track in the Google Play store that doesn't go through malware scanning and "is only for use within your organization", but has a much faster go-live time.

Seems appropriate to me

[Leslie43]

Since it really does very little (if anything) for security anyhow.

Re:Better than looking like an ILLITERATE assHOLE

[BronsCon]

Uh... that wasn't me, dipshit.

Re:Better than looking like an ILLITERATE assHOLE

[BronsCon]

Hey dipshit, wasn't me.

when I posted it before here [link to the post you're replying to for the second time]

Uh...

LAME & WEAK - another method from me

Indeed, another lame and weak method from you...

also a PROTECTIVE TECHNIQUE I use in my hosts file engine

So you invented the digital signature? Or is it someone else's invention and work that you're using, much like the hosts file and the host lists you concatenate, while bitching about people using your initials as though you're the only APK in the world? Here's a hint: you're not, and many of them are far more notable and recognizable than you.

break up Google

[Reverend+Green]

Big Brother Google is too big, too invasive, too untrustworthy. It's time for Uncle Sam to get out his trust-busting stick and break up Google/Alphabet.

Maps - separate company
Search - separate company
Surveillance / "advertising" - separate company
Android - separate company
Chrome - separate company

Re:break up Google

[johnsie]

Yeah, let's do that. Just because one paranoid person on Slashdot hasn't taken his meds.

Re:Only in the USA! Home of IE fans!

[johnsie]

You're talking about the nation which brought us Hillary and Donald. Why would you expect them to have any sense when it comes to computing?

Re:Ordinarily I'd say YOU ARE RIGHT, but (lol)...

[BronsCon]

THANKS FOR THAT MUCH & since you like the Windows model (perfectly accurate)?

I never said I liked it, I said the work was good. If I liked it, I would use it, and I don't (and if I did, I would admit as much; I'm not one to bit off my nose to spite my face). You should know from the rest of that conversation that I would never use software written by someone as toxic and vile as you. It may be clean and safe today, but there's no reason to believe it will remain that way, particularly when you seem to have personal vendettas against so many people, myself included, and it would be trivial to throw some nastiness in that only triggers when the software detects that it is running on a system used by one of those people (for example, by looking for browser cookies of Slashdot logins for your targeted individuals).

You see, we're not all as stupid as you think us. If we were, we'd make easy targets for exploit by your wares.

Continued in reply to your 2nd reply...

/. vs the rest of the world

[DrYak]

Congratulation, you're the typical kind of people who hang on /. (ultra curious geeks, etc.)

The thing is that, there's the rest of the world, we're a bit north of 7 billion of humans on this planet.
Out of them not every one last of them thinks the same way as us.

Some just want an appliance, a thing that just works when they push a button.

There are people who can rebuild the old faulty electrical wiring of a dilapidated house.
and there are the people who just want the light to turn on when they push a button and are happy to give money to someone else to make it happen and don't *want* to give a damn about what's going on under the hood.

Apple, and the "walled garden" type of application platforms try to solve this regarding phone.
There are people who (for a good reason) release that they have a full blown personal computer in their pocket.
And there are people who just want to talk to their friends and send funny pictures of cat, and don't want to give a flying fuck about what an "operating system" is.

The only thing which I'm not happy with and which several people have talked in this thread, is that some like Apple and lots of Android manufacturer want to give you NO ALTERNATIVE to the walled garten, they do not give you the key to the main gate of the metaphorical garden's wall.

I would prefer phone that are locked-down BUT can be unlocked and put into developer mode if desired by the owner ( <- dear phone companies, please note the word and stop considering us as rental. We paid it, we own it, thanks).

---

Also a thing to think about is that some point in the future, the big fat warning upon activating the dev mode won't be enough.
- People get desensitized by clicking "Okay" on any pop-up warning. (Same problem that windows have since they introduced UAC due to problematic software that can't run on anything but admin mode).
- The "dancing pigs" problem : people are ready to follow any weird complex instructions from shady corners of the web just to get access to the funny video of dancing pigs (like installing some horrible spyware/botnet node that pretends to be a video player and codecs for the video). You can predict that if one day when the walled garden gets a little too efficient at rejecting malware to the taste of attacker, youtube bot-channels are going to pop up with "howtos" tutorials explaining how to put the smartphone in dev mode to side load "the best app to send video of kittens around" prompting even grandma to shoot themselves in the foot security-wise.

We'll have to think and prepare how to deal with this in the future (if we don't the manufacturing companies will choose the "more DRM" solution instead for us).

Re:Ordinarily I'd say YOURE RIGHT, but (lol)... ap

[BronsCon]

(cont.) Also, it seems that much has changed in the quality of your software in the past two years and several months. You see, there appears to be a glaring bug in your Slashdot spamming script that is causing it to double-post, though the grammar modification algorithm appears to be working (despite being obvious).

Please cease using my moniker at least until that has been fixed. Preferably, cease using it at all, especially while you're bitching about a company using your initials, when you know damn well the Android Package isn't named after you and more than the NSA is named after Norman Stanley Alexander.

Highly confusing...

[GuB-42]

That thing doesn't look like DRM. It is a way for people to download play store apps from outside the play store, and still have the guarantee that they get the original. There is absolutely no mention of any restriction on the user. The signature can be stripped off and unsigned apps can still be installed if you check the "unknown sources" option.
What will happen in the future is another subject. Google needs more than a simple signature in order to lock down the system.

Also, Android already has DRM ( https://developer.android.com/... ).

This is not DRM

[l2718]

Cryptographically signing applications to ensure integrity and authenticity may be a good idea (as long as phone owners retain the option, existing today, of installing apps from other sources if they wish). This scheme has nothing to do with DRM (Digital Restrictions Management), which is a name for methods intended to prevent users from copying works which are protected by copyright. DRM is technology that's supposed to prevent users from copying content (movies, e-books, etc), or more generally enforce whatever restrictions the supplier would like to enforce. Since DRM generally prevents users from doing things they would otherwise be able to legally do (make fair use of portions of the works; make backup copies; copy works in the public domain etc) it is justifiably considered a bad thing. I suspect that putting the DRM moniker on this possibly beneficial technology is motivated by encouraging users to think of DRM as something that protects their rights instead of something that violates them.

Re:Glad u think it's good, others agree

[BronsCon]

Do you not see irony in the fact that you've become what you hate? You're no different than the in-your-face, cram-their-shit-down-people's-throats, difficult-to-avoid, and hostile marketers that you so despise (and have accused my of being one of in the past). You literally get in people's faces, cram your shit down out throats, persist when people tell you they're not interested, and approach us all in the most hostile way possible; and it doesn't matter what your reason is, nor whether the reason is legitimate or simply perceived, what matters is the very behaviors you are exhibiting are the very behaviors those of us who block ads with to avoid.

So, why would we use a piece of software written by an advertiser to block ads?

The simple answer is that those of us who are sane would not. And we will not. That bridge burned the moment you started spamming and the crossing was dug wider when you started attacking people who pointed it out.

What makes me sad about this is that, one day, you'll stop. And when you do, we won't have a way to know whether it was because you finally sought treatment, were committed, killed yourself, were killed, or if you finally realized the irony in your actions.

At this point, the only way I would say your software was worth a damn is if it were also miraculously able to block your posts here on Slashdot. If that happened, honestly, that would make it the best fucking piece of software ever written. Of course, the advertiser only ever wants to block everyone else's ads, and never their own.

Bullshit

[HeckRuler]

Google has introduced a small change to Play Store apps that could significantly protect several Android users.

What the fuck is with this weaselly bullshit advertising?

This part here. This one. This is the part that you need to focus on: "your phone will run a version of Android that won't be able to install apps without it."
This is the part you should be mad about. That's control. By a monolithic corporation that does not have your best interest at heart.

And the article itself is talking out of it's ass and throwing around doublespeak willy nilly. Observe:

DRM means you are being treated like a thief before you buy any software.

EA doesn't trust that we paid for the software title so it forces us to present our papers when demanded.

and every other entertainment publisher which decides where in the world you are allowed to listen to music or watch a movie that you paid for, or how many times you are allowed to do so.

Yeah, that's right, DRM is bad. Abusive. Annoying. A bad stance to have with the business-customer relationship. We're all on the same page. ....And then it does some mental gymnastics and says this:

So DRM is bad to the core. But not really. DRM is simply a way for a developer or publisher to keep track of software versions and authenticity.

. . . wtf? That's EXACTLY what those examples above are doing. "Keep track of authenticity" as in "This is not an approved app, SO YOU CANNOT RUN IT". How can you possibly acknowledge the pitfalls of DRM and then immediately turn around and say Google is doing this for the right reasons? That's utter delusional fan-boy bullshit.

There is certainly potential for abuse there, but we have to wait and see if any developers get any bad ideas.

No we don't. We've been to this rodeo before. And it's NOT the developers we have teo worry about. It's Google decided to flip on the walled garden bit of disallowing people to install what applications they want.

It's like how a knife in the back certainly has potential for worry. But we'll have to wait and see if google twists it on the way out.

Re:Bullshit

[digital_fiz]

https://www.androidpolice.com/...

you don't know Jack

[epine]

Damn straight!! The peasant class doesn't deserve no stinking freedom. They can't handle it. All Hail King Alphabet ruler of all teh Intertubes.

You CAN'T HANDLE your own stinking privacy.

Only this is the Jack from The Shining and not the Jack from A Few Good Men.

(Or perhaps the Apple store is Jack from The Witches of Eastwick; none of Cher, Susan Sarandon, or Michelle Pfeiffer are dating Jared, so in that sense, at least, he got off light.)

Re: Self-fulfilling idio(crac)y!

[datavirtue]

Odd...I was taught these very things by an accountant.

Re:Your straw man fails. Hard.

[datavirtue]

Imagine starting off for vacation. A little bell goes off telling you there is a flat tire. Do you not go on vacation? Do you call a man to get your family back on the road? Jesus fucking Christ.

It's not DRM jeez people.

[digital_fiz]

https://www.androidpolice.com/...

Re:Registered /.ers disagree w/ you (even YOU)

[BronsCon]

Thank you for proving my point.

Re:Likewise thank YOU for helping prove mine

[BronsCon]

Yes, and now that my perspective has changed I see that it is the work of an abject madman. Or do you not change your opinions as new facts arise?

Re:You said it best in this quote of you

[BronsCon]

(No changing facts written in stone long ago...)

No, just opinions written in bits.

Re:Alex McCLOWN/Khyber, alias...

[BronsCon]

Dude, when the hell did you find the time to write the Linux version? Seems like you're here posting this shit 24/7.

Google Nazi bs

[RetepGuh]

I have a permit to carry weapons, but I am treated like an idiot who doesn't own my phone.google Nazi play store can sniff through my phone like pigs they are.time for a change sooner the later.to all idiots who need protection come to me I sell u bunch of story's to make u feel safer.