You can’t use stuff like banking apps on a modified device and losing access to normal android devices would be a big blow to the momentum of the F-Droid community. GrapheneOS might not be a big enough community to sustain work on the projects delivered by F-Droid.
zb3 · 2026-04-28 16:13:35 UTC
> losing access to normal android devices would be a big blow to the momentum of the F-Droid community.
For me it seems the opposite - if these "normal" (GMS spyware) Android devices lose the access to F-Droid and it will only be possible to install malware/adware from Google Play, then maybe that will push more people to value unlocking the bootloader..
gruez · 2026-04-28 16:16:51 UTC
>You can’t use stuff like banking apps on a modified device
IME such apps are few and far between. The most trouble I ran into is play store refusing to show apps because they claim the app isn't compatible with the device, but that can be worked around with aurora store.
Sayrus · 2026-04-28 16:28:54 UTC
I think parent is talking about Play Integrity being integrated into banking apps. It's a hit or miss depending on the bank, some will be fine without, some with integrate it but not rely on it to directly refuse login, some will require a lower integrity level, and some will actually require the highest integrity level leading to issues on custom ROMs.
bakugo · 2026-04-28 16:46:46 UTC
They really aren't. The number of apps requiring Play Integrity grows every day, my own bank's app hasn't worked in years and I've long given up on it, I just use it on a second stock device now.
And Google has an answer to the "just install the APK from somewhere else" workaround, too. Many apps now integrate a check that prevents them from running if they're not properly linked to the Play Store.
akramachamarei · 2026-04-28 17:27:53 UTC
Are banking apps much more useful than banking websites, anyway?
kube-system · 2026-04-28 17:52:18 UTC
Depends highly on the bank and what part of the world you're in. Some banks have only a website and no app. Some banks have only an app and no website. Some require an app to access the website. The landscape is widely varied.
bakugo · 2026-04-28 22:27:18 UTC
Don't know what the landscape is like in the US, but here in Europe, many banks require the app for any sort of online payment. There is no alternative. If your phone isn't stock, you're screwed.
l72 · 2026-04-28 18:38:46 UTC
My Android is running Lineage without Google Play Services (no microg either).
I had an app that I needed to use, and the only available log-in method was via firebase's SMS. Firebase flat out refused to allow me to login because of Google Play Integrity, and there was no web only option.
I ended up having to use my spouse's iPhone...
gruez · 2026-04-28 20:46:00 UTC
>My Android is running Lineage without Google Play Services (no microg either).
>Firebase flat out refused to allow me to login because of Google Play Integrity
Sounds like the issue is that you don't have play services installed, rather than play integrity specifically.
ncr100 · 2026-04-28 18:16:35 UTC
I wonder then if the workaround for THAT (losing access to Banking / "Google trust-deriving apps") is to get a second device, wifi-only no-SIM G-Android.
Cumbersome, but any other deterring reasons why "not a good workaround"?
phreack · 2026-04-28 16:26:56 UTC
Not much, as it only works on very few high end phones not sold in most countries. Hopefully their Motorola partnership will expand its availability but I'm not confident that'll happen anytime soon.
zb3 · 2026-04-28 16:38:03 UTC
Sadly forget about it - GrapheneOS will only work on Motorola __flagship__ devices, and most of their budget phones are not even made by Motorola, but rather by the odm such as Tinno, where it's not even possible to unlock the bootloader without exploits.
GrapheneOS will sadly stay unaffordable for many.
morserer · 2026-04-28 17:28:37 UTC
Ideally yes, otherwise any other AOSP-based ROM. There are many, and they support far more devices than Graphene, though implementations of e.g. Google Play services is more hacky.
Isnt the title a bit dramatic? I remember reading you can still install apps but you just need to click a few buttons.
benoau · 2026-04-28 15:49:14 UTC
This isn't referring to the efforts Google has gone to try to thwart sideloading.
It is another requirement of Google's, where all developers must be registered to them and apps must be signed by them and anything that isn't will be blocked.
jjgreen · 2026-04-28 15:57:04 UTC
From TFA:
Delve into System Settings, find Developer Options
Tap the build number seven times to enable Developer Mode
Dismiss scare screens about coercion
Enter your PIN
Restart the device
Wait 24 hours
Come back, dismiss more scare screens
Pick "allow temporarily" (7 days) or "allow indefinitely"
Confirm, again, that you understand "the risks"
Nine steps. A mandatory 24-hour cooling-off period. For installing
software on a device you own.
0x3f · 2026-04-28 16:04:46 UTC
Sounds a bit like trying to transfer my own money to myself at the bank. I.e. it seems designed to prevent old people getting scammed.
hungryhobbit · 2026-04-28 16:28:10 UTC
That's exactly what this is: Google is trying to prevent tech illiterate users from installing malware.
(Or at least, that's their take on this. You can choose to read between the lines, or not, as to whether they have other motivations also.)
raverbashing · 2026-04-28 16:45:15 UTC
Of course they have other motivations
But for 1 person wanting to run their own software there are hundreds of people with the potential to install malware/crapware/etc
lucb1e · 2026-04-28 20:43:26 UTC
Had to read that sentence twice. You really think that there's more people getting scammed via "please tap the build number seven times and then go to extra settings and enable untrusted installs and then go to this website that I will dictate the URL of and you should ignore that install warning" etc etc etc. to install an apk to run software that can barely access more than a simple webpage could, than there are people (like HN'ers) who install apk files from github and f-droid?!
(Also note that "crapware" describes basically every app you find in google's store. I try on occasion, when nobody made an open source this-or-that, and it's such a minefield. If that's the thing you're trying to avoid, I don't know how you could possibly feel positive about a requirement to only use the Play Store for the tech-illiterate)
mulmen · 2026-04-28 17:01:20 UTC
Define malware.
kube-system · 2026-04-28 17:33:52 UTC
The scams this directly targets are well known and common. Someone gets a phishing message, they have someone install some sort of malware on the device, then their bank accounts are drained into some offshore account never to be seen again.
That's why there's a requirement for restarting the phone and waiting 24 hours.
The restart ends the connection for any remote-access software or phone call that might be driving the operation -- and the 24 hour wait period breaks the "urgency" part of the scam that prevents other people who know better from stopping the vicim from continuing.
I see zero trouble as long as it requires no additional identification, no additional payment, and no mandatory time limit for the sideloaded apps.
That is, fine by me. I can wait for 24 hours once in a few years when I acquire a new mobile phone.
moralestapia · 2026-04-28 16:09:53 UTC
Why would you do all that to install an app in a device that you own? It's bollocks.
nine_k · 2026-04-28 16:15:57 UTC
Because grandmas all over the world are getting swindled by scam apps.
Look, I can't locally install a web extension I wrote on an open-source Firefox browser, because security. I have to install a Developer Edition, or get the extension reviewed and signed by Mozilla, for the very same reasons of thwarting scammers. Is this stifling, or is it making my browser not mine? Is anybody making a big deal out of that?
The world we inhabit is not always friendly. It has a ton of determined and sophisticated bad actors, and a lot of people with less technical savvy than you and me. We have to deal with that, instead of being cantankerous.
rcxdude · 2026-04-28 16:19:10 UTC
It's not obvious to me that this will help much with scamming. Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
gruez · 2026-04-28 16:28:08 UTC
>It's not obvious to me that this will help much with scamming.
Because as a reader to this forum, you're probably more tech savvy that the average person. Moreover this type of scam seems to be more common in Asia than the West, see:
They convince users to download a "government app", grant it accessibility permissions, then use that to take over their phone and drain their bank accounts.
>Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Where do you draw the line? If you whitelist f-droid, do you have to whitelist third party f-droid repos too? What about other app "stores" like obtanium? Moreover f-droid being less of a "cesspool" is likely because its reach is smaller, not because it has better moderation.
rcxdude · 2026-04-28 16:37:56 UTC
I'm aware of the way the scams work. I'm also aware that scammers tend to be much more motivated to jump through hoops that are put in front them (more so than legitimate users!). Scammers can also talk people through many, many warning signs.
selectively · 2026-04-28 16:42:01 UTC
Scammers cannot talk people past a 24 hour wait. This attack is built upon pressure and operates at a scale that makes stealing many identies, building different-enough apps to avoid getting flagged by Google and signing them all non-viable.
moralestapia · 2026-04-28 19:42:33 UTC
>Scammers cannot talk people past a 24 hour wait.
Oh yeah, I forgot they're bound to some code of rules they follow. Scammers, of all people.
selectively · 2026-04-28 22:18:36 UTC
You're being dumb.
Not a 'code of rules'. The scam itself relies on urgency. Breaking the spell by allowing people to talk to friends/family/their bank makes the scam not work.
And most Android banking malware is distributed through unsafe sideload installs (as opposed to much safer Gatekeeper-style installs, which is what is coming) and are fed to victims through complex attacks involving obtaining a victim's personal information and calling them while credibly pretending to be a local authority or a bank representative. You can read about this wherever you get news about cyber crime.
This is a scourge in South East Asia and Google can do some good here. The only cost is whining from non-technical people. Everyone else will go pay $25 or whatever and sign their app.
nine_k · 2026-04-28 16:31:27 UTC
Play Store being a cesspit is indeed a problem! But it still is making a constant effort to drive away scammers, so scams don't last too long there. Scammers show sleek-looking web pages offering to install an "official app" from their own apk. Or they have an app that clandestinely sideloads another app. This is being curbed.
But it's limited to a one-time action, not encumbered by additional papers or payment. I don't foresee any trouble using F-Droid (which I use a lot) after I have dismissed the scary screens and confirmed that I know what I'm doing.
rcxdude · 2026-04-28 16:16:49 UTC
You are thinking about it from the point of view of an enthusiast/hacker who wants to put their homebrew stuff on it. But this is also tightening around developers who may want to distribute their applications to lay users.
selectively · 2026-04-28 16:25:24 UTC
Those developers will pay $25 for identity verification and have no issues.
rcxdude · 2026-04-28 16:33:38 UTC
Unless they do something google doesn't like, or trip one of their many automated systems that ban them without recourse. Or they are compelled to revoke a key by a government.
selectively · 2026-04-28 16:37:20 UTC
Revocations are for apps being malware and nothing else, much like macOS Gatekeeper (Apple doesn't even revoke certs used by Warez groups to sign cracked apps).
Automated bans can be an issue, but that's an edge case. Google already had the functionality to 'revoke' an app if ordered to do so by a legal authority.
It is much more important to make a real world attack - something that is draining wallets of ordinary people across Thailand/Brazil/SEA in general - harder to achieve. One thing is a political goal of some people in the west, the other is an ordinary person not having the money to feed themselves because a scammer stole it all.
rcxdude · 2026-04-28 16:39:31 UTC
I can't trust Google will keep to that, sorry. Nor can I accept harms being twisted into a further centralised accumulation of power (especially when Google, with all their resources, could likely do much more to prevent these scams than grabbing that power for themselves)
selectively · 2026-04-28 16:43:34 UTC
Well, the very good news is that Google is not seeking your trust. You have no say at all. This is the new system, it benefits actual real people over HN commenters and you will just have to deal with it.
Google doesn't have the ability to change the way banking apps work with regards to transferring money from one account to another in Malaysia/Brazil/Thailand. That would be a matter for the national Governments. This is the best approach available.
rcxdude · 2026-04-28 16:51:45 UTC
I'm aware I lack power here, but you seem to be trying to convince me it's a good thing.
selectively · 2026-04-28 16:53:24 UTC
It is, because your objectives disregard things that are far more important. Have a nice day.
diydsp · 2026-04-28 16:47:36 UTC
Drivers license leaks are surging.
selectively · 2026-04-28 16:52:52 UTC
Google's identity verification system relies on multiple factors, not solely drivers licensees or other national identity documents.
nine_k · 2026-04-28 16:55:28 UTC
Lay users use Play Store.
Users who use F-Droid are already not as lay. If you distribute stuff that Play Store would ban, your users are likely not as lay, too.
Yes, it's inconvenient, but I see it as a good-faith attempt to limit exposure of lay users to scams, not some power grab.
kube-system · 2026-04-28 17:37:01 UTC
There are exactly two groups of people who sideload APKs:
* people who know what they're doing
* people who are being victimized
moralestapia · 2026-04-28 16:08:59 UTC
>Wait 24 hours
Somehow bank vaults and heroin storage boxes don’t take this long.
kube-system · 2026-04-28 17:35:50 UTC
The 24 hour wait period is so the scammer can't use the element of urgency to keep the victim on the phone where they don't have the opportunity to speak with trusted friends/family who would stop the scam.
Worse: this flow runs entirely through Google Play Services, not the Android OS. Google can change it, tighten it, or kill it at any time, with no OS update required and no consent needed.
And as of today, it hasn't shipped in any beta, preview, or canary build.
It exists only as a blog post and some mockups.
Markoff · 2026-04-28 19:13:54 UTC
that seems better, not worse, that they don't implement this on OS level, so no gapps users are not affected at all
wstrange · 2026-04-28 16:40:12 UTC
To be fair, that's a one time process. You do not need to do that for every app you want to sideload.
The malware issue that the flow is designed to mitigate is a very real problem. Perhaps there is a better way, but it's not immediately clear what that is.
I wouldn't consider this "a few buttons", it's enough to turn off the less savvy users
627467 · 2026-04-28 19:15:26 UTC
Less savy and unmotivated users.. maybe? Whats the main use cases for newpipe? Let me guess: get premium features for free (no ads, downloads etc).
Do you think people wont click 9 buttons and wait 24hs for this?
Its like people forgot how pirated windows/sw used to run on millions (billions) on devices in the past until ads (and some convenience from non-so-cheap-anymore subscriptions) became the norm
lynndotpy · 2026-04-28 16:26:05 UTC
In addition to what others have said, it means some developers who were building for Android are going to stop. You can't install an app when someone is obstructed from building it in the first place.
> every Android app developer must register centrally with Google before their software can be installed on any device. Not just Play Store apps: all apps.
> Registration requires:
> Paying a fee to Google
> Agreeing to Google's Terms and Conditions
> Surrendering your government-issued identification
> Providing evidence of your private signing key
> Listing all current and all future application identifiers
Google is not an entity you can can trust with this.
zb3 · 2026-04-28 16:06:16 UTC
Yes, but not because of those changes in the GMS stock OS, but because the ability to unlock the bootloader (and install the OS you can actually control) is being increasingly limited.
Stock GMS Android was never yours, you only had access to basic permissions, privileged/signature permissions were only accessible to Google/vendors anyway.
drnick1 · 2026-04-28 16:07:10 UTC
I don't care, I run Graphene, and my phone is definitely mine. Most Android apps just work, and the ones that don't are the kind of malware I am happy to do without.
chneu · 2026-04-28 16:10:29 UTC
I have a pixel 10 pro and have tried no less than 5 times to get my apps to work on graphene, no luck.
I'm no slouch either, I've developed for android for almost a decade.
I'm not disagreeing with ya, just adding a comment so folks are aware that the "Graphene just works" crowd is sometimes a bit hyperbolic.
akho · 2026-04-28 16:21:02 UTC
What apps?
(idle interest; I use Graphene, but few apps, and everything worked so far)
Sayrus · 2026-04-28 16:23:33 UTC
I've been using it for a bit over a year. Installed in a few minutes thanks to WebUSB. A bit of research needed to set the right permissions on Google Play Services.
After that? I only had one application fail due to Graphene's memory allocator. No weird bugs, no need to restart like some siblings are commenting. As close to the "Graphene just works" as it could be.
However, I'm not heavy into Google's ecosystem. Google Pay will not work but I'm not a user, some Google features won't tell you why they don't work but I'm not using them either (Quick Share for instance), none of my apps require the highest Play Integrity level. Maybe the person who say this are a specific type of person where use-cases don't overlap with what breaks on Graphene.
estebank · 2026-04-28 17:07:30 UTC
The interaction of secondary users with RCS is borked to all hell. It just plain doesn't work.
Firefox + stock keyboard stopped properly working three days ago, it's back to normal now. No idea what that was about. Restarting was the only way I found to get things working again during that period.
While on the stock Android keyboard, it is clear that the Google one is much better at correcting my taps than the stock one. My typo count has gone up significantly.
Every several weeks the mobile connectivity stops working and nothing short of a restart will get it working again. This might be a bad interaction of the very weird way Google Fi works with a secondary user account.
I've encountered one case of the phone shutting itself off to install an update overnight and not turning on, making me miss my morning alarm.
In the US, there's no way to side step the lack of tap to pay.
Getting apps to work with Android Auto requires some finessing.
These are the things I've encountered in the last 2 months of using Graphene.
Aside from all of that, I really like everything else about the OS. As it stands, it does lacks polish when straying outside of the common path. Not using a secondary account, nor Google Fi on an eSIM, and using the stock browser would likely improve my experience significantly.
I haven't encountered an app that wouldn't work yet (but have installed play services as I do want to use Android Auto).
I would still recommend Grapheme for normal-ish users, as long as you don't go "paranoid mode" with secondary accounts and skipping play services or don't want to use the phone for tons of things beyond phone calls and web browsing. The base experience is that much calmer than stock Android on Pixel.
ninininino · 2026-04-28 16:13:11 UTC
That's a great attitude until slowly but surely 90% of apps used in day to day life won't function for you: banking, dating, social media, e-commerce, communication/messaging etc slowly freeze you out.
bee_rider · 2026-04-28 16:46:18 UTC
Are banks and e-commerce going to get rid of their websites? I imagine some will, but I can’t imagine using one that did.
Dating… well, the goal for most people is to exit the dating pool anyway.
Social media is bad.
brodock · 2026-04-28 17:00:45 UTC
In many countries it's already impossible to use just the web for banking. They either make you install rootkits on your computer or move you to their mobile apps
bee_rider · 2026-04-28 17:14:36 UTC
Wow, that sounds awful. You say country, which makes me wonder—is this the result of a popular type of law or something? I can’t imagine every bank in a country deciding to make that same move. But I live in a large country with lots of banks so I’m sure I have a very biased point of view.
> I can’t imagine every bank in a country deciding to make that same move.
Many countries have only three or four full banks (the kind that can give you a Visa or Mastercard bank card, let you send and receive transfers, etc.), and all of them are making the same moves.
k4rli · 2026-04-28 17:08:03 UTC
A hidden benefit is having to decide now whether you actually need these things.
Messaging apps will continue working.
Banking apps made by reasonable companies will also. In days of banking being competitive and rather open with many providers offering good value, it's so easy to switch providers. Granted I am relatively poor and keep my banking simple, but I doubt card providers want to increase friction either.
After Revolut started requiring >basic integrity it took me appx 1 day to switch to n26 and nothing of value was lost.
Not being able to use socialmedia, e-commerce, and dating apps sounds great.
volemo · 2026-04-28 16:14:25 UTC
Sadly it works only on Pixel phones.
absolute8606 · 2026-04-28 16:37:34 UTC
They’ve announced a partnership with Motorola to have it installed on some of their phones in the future, so not just Pixels for long!
tombert · 2026-04-28 16:53:53 UTC
Assuming that this Graphene partnership ends up working out, this is probably what I will end up doing once my current iPhone dies. I like my iPhone 13 Pro Max, it's a good phone and I don't really have a desire to get rid of it, but eventually it will break, or get stolen, or in some other way become unusable, and as such it will need to be replaced.
I really hated my Pixel 7 Pro, but I think that was bad hardware and not Android's fault, and since buying my iPhone 13 I have bought my Thinkpad and have been unbelievably impressed with Lenovo hardware (especially since the last Android phone that I bought that I actually liked was my Moto X3).
It would be great if Graphene ends up getting support from at least one first party, because at that point I think there's at least a chance it won't screw with banking apps and the like.
estebank · 2026-04-28 16:16:06 UTC
I use GrapheneOS too. Most of the time it works great, with some weird bugs around group messages and needing to restart every now and then to get to a fully functional state between the browser and keyboard properly working with each other and the network connectivity going away. I do enjoy full control on network connectivity and notifications.
But beyond whether the OS is good or not, "fuck you, I've got mine" is not only sad as a position in general, it is also a bad tactical choice, because over long enough timeframes you can't assure that you can keep yours if others are deprived.
Brian_K_White · 2026-04-28 17:31:23 UTC
I agree about "I got around the system so I don't care how bad it is.", but it is at least still a form of saying "an alternative to this problem is Graphene", and that can't be repeated enough until a whole lot more people are using it, or anything else like Lineage.
Graphene (or anything else) will only stay a useful option if a whole lot more people use it so that government agencies and banks can't ignore that many people. A whole lot more people need to feel they aren't completely alone if they thought about using it, that it's actually a real option and not a kooky crap option.
Right now agencies & companies can totally ignore them all, and everything that still works today is just luck.
I haven't used Graphene myself. At the moment I have a stock rom that's merely rooted using the official manufacturer supplied bootloader unlock, and my small local credit union bank apps work, and the LG app that controls my air conditioners and microwave does not. Even if the bank apps didn't work it wouldn't matter because they have working web sites, and I never wanted an an app for my appliances in the first place.
But any day that could change.
It's just luck the banks have web sites that work in firefox on linux, and just luck there are no functions I need on those appliances that require the app.
hacker161 · 2026-04-28 16:22:44 UTC
First they came for the stock Android users, and I did not speak out for I was not a stock Android user.
mmooss · 2026-04-28 16:22:48 UTC
Google could lock out Graphene too, whenever they like, with no warning. I hope Graphene has a plan.
jordand · 2026-04-28 16:33:00 UTC
I'm running GrapheneOS too and while I've experienced the same, I'm dreading the day any of my banking apps update and suddenly start demanding full Play Integrity API support (GrapheneOS only has Basic) causing them to fail to open. Hasn't happened yet but it could.
Freak_NL · 2026-04-28 17:17:14 UTC
It always feels like my phone experience is just a pleasant intermezzo. My banking app (ABN Amro) works, government apps (DigiD) work, everything just works, and I get security and a certain degree of distance between me and Google. I can use F-Droid to install useful apps, and incidentally use Google's app store for apps I need because the rest of the world uses them. GrapheneOS rocks.
Borrowed time. I hope not, but that's the prevailing feeling.
at-fates-hands · 2026-04-28 16:33:32 UTC
Devs have been warning F-Droid about this for years:
It's quite problematic that someone can currently upload a package name belonging to another organization to the Play Store and that should have been stopped years ago since it was used in many cases for scamming and squatting on package names clearly belonging to others. Package names are meant to start with a reverse domain belonging to the owner such as app.grapheneos for our grapheneos.app domain. They could enforce this based on domains authorizing usage without enforcing ID verification and that's what we would have proposed.
This is one of the ways F-Droid has ignored standard best practices including security practices in a way that's already causing problems but is now a massive issue for them. If they had started doing things properly many years ago when it was first brought up, then they'd be in a much better situation today. They're going to need to deal with this by renaming all their package names to org.fdroid. to avoid issues with the proposed changes. This is problematic because existing users will stop getting updates. It's better to use a prefix than a suffix where a developer could end up changing their mind about whether it makes sense resulting in conflict over the name, which is fair since they still own it if it's their reverse domain.
fooqux · 2026-04-28 17:22:44 UTC
Being a Graphene user is fine and all, but if this continues it will have a chilling effect on OSS Android development. And that will still effect you.
2OEH8eoCRo0 · 2026-04-28 17:53:48 UTC
How can you trust graphene or it's contributors and supply chain?
prism56 · 2026-04-28 22:12:48 UTC
You should care because the install base could reduce drastically. Reducing the amount of Devs and contributions to the FOSS scene. This will degrade your experience
OgsyedIE · 2026-04-28 16:10:31 UTC
The communication on this front page is excellent given the intended audience, with the right mixing of emphasis and punctuation for effect.
I'd like to see, if it can be found, some anecdotes about the nuts and bolts of writing any kind of material intended to persuade in this way. How do they a/b test the formatting and so on.
Xunjin · 2026-04-28 16:12:40 UTC
Let me play out a scenario, imagine to use a Desktop Hardware like a complete built rig, you would need a specific OS like Windows 11 and you could not run Linux on it, just because it's a vendor lock-in.
Why is this acceptable for phones but would not for the case above?
I know a lot of people don't care, and that's ok, but we should root for an open choice for the users.
59percentmore · 2026-04-28 16:25:46 UTC
From the state's perspective, probably along the same lines as why long guns are allowed with permit in many countries where handguns are banned.
fainpul · 2026-04-28 17:20:29 UTC
Because you can conceiled carry a smartphone? Please explain.
hightrix · 2026-04-28 17:09:25 UTC
If computers were invented by the Silicon Valley of the 2020s, this would absolutely be the case.
dghlsakjg · 2026-04-28 17:52:59 UTC
To be fair, many early computers were tied to the OS.
code_duck · 2026-04-28 17:13:11 UTC
It’s the same situation as game consoles. Custom built hardware that is only meant to run the one specific vendor OS. There have been many other computing devices like that in the past as well. The general purpose desktop computer that allows a choice of operating systems is actually less common than the other way. Historically, people didn’t expect to run alternate operating systems on a mainframe, 80s and 90s computers like a Commodore 64, Power PC Macs, Amigas and DOS/Windows machines until Linux came along.
Comments
You can’t use stuff like banking apps on a modified device and losing access to normal android devices would be a big blow to the momentum of the F-Droid community. GrapheneOS might not be a big enough community to sustain work on the projects delivered by F-Droid.
For me it seems the opposite - if these "normal" (GMS spyware) Android devices lose the access to F-Droid and it will only be possible to install malware/adware from Google Play, then maybe that will push more people to value unlocking the bootloader..
IME such apps are few and far between. The most trouble I ran into is play store refusing to show apps because they claim the app isn't compatible with the device, but that can be worked around with aurora store.
And Google has an answer to the "just install the APK from somewhere else" workaround, too. Many apps now integrate a check that prevents them from running if they're not properly linked to the Play Store.
I had an app that I needed to use, and the only available log-in method was via firebase's SMS. Firebase flat out refused to allow me to login because of Google Play Integrity, and there was no web only option.
I ended up having to use my spouse's iPhone...
>Firebase flat out refused to allow me to login because of Google Play Integrity
Sounds like the issue is that you don't have play services installed, rather than play integrity specifically.
Cumbersome, but any other deterring reasons why "not a good workaround"?
GrapheneOS will sadly stay unaffordable for many.
The most well-known: https://wiki.lineageos.org/devices/
It is another requirement of Google's, where all developers must be registered to them and apps must be signed by them and anything that isn't will be blocked.
(Or at least, that's their take on this. You can choose to read between the lines, or not, as to whether they have other motivations also.)
But for 1 person wanting to run their own software there are hundreds of people with the potential to install malware/crapware/etc
(Also note that "crapware" describes basically every app you find in google's store. I try on occasion, when nobody made an open source this-or-that, and it's such a minefield. If that's the thing you're trying to avoid, I don't know how you could possibly feel positive about a requirement to only use the Play Store for the tech-illiterate)
That's why there's a requirement for restarting the phone and waiting 24 hours.
The restart ends the connection for any remote-access software or phone call that might be driving the operation -- and the 24 hour wait period breaks the "urgency" part of the scam that prevents other people who know better from stopping the vicim from continuing.
That is, fine by me. I can wait for 24 hours once in a few years when I acquire a new mobile phone.
Look, I can't locally install a web extension I wrote on an open-source Firefox browser, because security. I have to install a Developer Edition, or get the extension reviewed and signed by Mozilla, for the very same reasons of thwarting scammers. Is this stifling, or is it making my browser not mine? Is anybody making a big deal out of that?
The world we inhabit is not always friendly. It has a ton of determined and sophisticated bad actors, and a lot of people with less technical savvy than you and me. We have to deal with that, instead of being cantankerous.
Because as a reader to this forum, you're probably more tech savvy that the average person. Moreover this type of scam seems to be more common in Asia than the West, see:
https://cdn.economistdatateam.com/videos/cyber-scams/fake-vi...
https://www.economist.com/interactive/asia/2026/04/10/scam-i...
They convince users to download a "government app", grant it accessibility permissions, then use that to take over their phone and drain their bank accounts.
>Especially when it affects safer app repositories like F-droid more than the cesspit that is the official Play store.
Where do you draw the line? If you whitelist f-droid, do you have to whitelist third party f-droid repos too? What about other app "stores" like obtanium? Moreover f-droid being less of a "cesspool" is likely because its reach is smaller, not because it has better moderation.
Oh yeah, I forgot they're bound to some code of rules they follow. Scammers, of all people.
Not a 'code of rules'. The scam itself relies on urgency. Breaking the spell by allowing people to talk to friends/family/their bank makes the scam not work.
https://privsec.dev/posts/android/f-droid-security-issues/
And most Android banking malware is distributed through unsafe sideload installs (as opposed to much safer Gatekeeper-style installs, which is what is coming) and are fed to victims through complex attacks involving obtaining a victim's personal information and calling them while credibly pretending to be a local authority or a bank representative. You can read about this wherever you get news about cyber crime.
This is a scourge in South East Asia and Google can do some good here. The only cost is whining from non-technical people. Everyone else will go pay $25 or whatever and sign their app.
But it's limited to a one-time action, not encumbered by additional papers or payment. I don't foresee any trouble using F-Droid (which I use a lot) after I have dismissed the scary screens and confirmed that I know what I'm doing.
Automated bans can be an issue, but that's an edge case. Google already had the functionality to 'revoke' an app if ordered to do so by a legal authority.
It is much more important to make a real world attack - something that is draining wallets of ordinary people across Thailand/Brazil/SEA in general - harder to achieve. One thing is a political goal of some people in the west, the other is an ordinary person not having the money to feed themselves because a scammer stole it all.
Google doesn't have the ability to change the way banking apps work with regards to transferring money from one account to another in Malaysia/Brazil/Thailand. That would be a matter for the national Governments. This is the best approach available.
Users who use F-Droid are already not as lay. If you distribute stuff that Play Store would ban, your users are likely not as lay, too.
Yes, it's inconvenient, but I see it as a good-faith attempt to limit exposure of lay users to scams, not some power grab.
* people who know what they're doing
* people who are being victimized
Somehow bank vaults and heroin storage boxes don’t take this long.
The malware issue that the flow is designed to mitigate is a very real problem. Perhaps there is a better way, but it's not immediately clear what that is.
I wouldn't consider this "a few buttons", it's enough to turn off the less savvy users
Do you think people wont click 9 buttons and wait 24hs for this?
Its like people forgot how pirated windows/sw used to run on millions (billions) on devices in the past until ads (and some convenience from non-so-cheap-anymore subscriptions) became the norm
> every Android app developer must register centrally with Google before their software can be installed on any device. Not just Play Store apps: all apps.
> Registration requires:
> Paying a fee to Google
> Agreeing to Google's Terms and Conditions
> Surrendering your government-issued identification
> Providing evidence of your private signing key
> Listing all current and all future application identifiers
Google is not an entity you can can trust with this.
Stock GMS Android was never yours, you only had access to basic permissions, privileged/signature permissions were only accessible to Google/vendors anyway.
I'm no slouch either, I've developed for android for almost a decade.
I'm not disagreeing with ya, just adding a comment so folks are aware that the "Graphene just works" crowd is sometimes a bit hyperbolic.
(idle interest; I use Graphene, but few apps, and everything worked so far)
After that? I only had one application fail due to Graphene's memory allocator. No weird bugs, no need to restart like some siblings are commenting. As close to the "Graphene just works" as it could be.
However, I'm not heavy into Google's ecosystem. Google Pay will not work but I'm not a user, some Google features won't tell you why they don't work but I'm not using them either (Quick Share for instance), none of my apps require the highest Play Integrity level. Maybe the person who say this are a specific type of person where use-cases don't overlap with what breaks on Graphene.
Firefox + stock keyboard stopped properly working three days ago, it's back to normal now. No idea what that was about. Restarting was the only way I found to get things working again during that period.
While on the stock Android keyboard, it is clear that the Google one is much better at correcting my taps than the stock one. My typo count has gone up significantly.
Every several weeks the mobile connectivity stops working and nothing short of a restart will get it working again. This might be a bad interaction of the very weird way Google Fi works with a secondary user account.
I've encountered one case of the phone shutting itself off to install an update overnight and not turning on, making me miss my morning alarm.
In the US, there's no way to side step the lack of tap to pay.
Getting apps to work with Android Auto requires some finessing.
These are the things I've encountered in the last 2 months of using Graphene.
Aside from all of that, I really like everything else about the OS. As it stands, it does lacks polish when straying outside of the common path. Not using a secondary account, nor Google Fi on an eSIM, and using the stock browser would likely improve my experience significantly.
I haven't encountered an app that wouldn't work yet (but have installed play services as I do want to use Android Auto).
I would still recommend Grapheme for normal-ish users, as long as you don't go "paranoid mode" with secondary accounts and skipping play services or don't want to use the phone for tons of things beyond phone calls and web browsing. The base experience is that much calmer than stock Android on Pixel.
Dating… well, the goal for most people is to exit the dating pool anyway.
Social media is bad.
Many countries have only three or four full banks (the kind that can give you a Visa or Mastercard bank card, let you send and receive transfers, etc.), and all of them are making the same moves.
Messaging apps will continue working.
Banking apps made by reasonable companies will also. In days of banking being competitive and rather open with many providers offering good value, it's so easy to switch providers. Granted I am relatively poor and keep my banking simple, but I doubt card providers want to increase friction either. After Revolut started requiring >basic integrity it took me appx 1 day to switch to n26 and nothing of value was lost.
Not being able to use socialmedia, e-commerce, and dating apps sounds great.
I really hated my Pixel 7 Pro, but I think that was bad hardware and not Android's fault, and since buying my iPhone 13 I have bought my Thinkpad and have been unbelievably impressed with Lenovo hardware (especially since the last Android phone that I bought that I actually liked was my Moto X3).
It would be great if Graphene ends up getting support from at least one first party, because at that point I think there's at least a chance it won't screw with banking apps and the like.
But beyond whether the OS is good or not, "fuck you, I've got mine" is not only sad as a position in general, it is also a bad tactical choice, because over long enough timeframes you can't assure that you can keep yours if others are deprived.
Graphene (or anything else) will only stay a useful option if a whole lot more people use it so that government agencies and banks can't ignore that many people. A whole lot more people need to feel they aren't completely alone if they thought about using it, that it's actually a real option and not a kooky crap option.
Right now agencies & companies can totally ignore them all, and everything that still works today is just luck.
I haven't used Graphene myself. At the moment I have a stock rom that's merely rooted using the official manufacturer supplied bootloader unlock, and my small local credit union bank apps work, and the LG app that controls my air conditioners and microwave does not. Even if the bank apps didn't work it wouldn't matter because they have working web sites, and I never wanted an an app for my appliances in the first place.
But any day that could change.
It's just luck the banks have web sites that work in firefox on linux, and just luck there are no functions I need on those appliances that require the app.
Borrowed time. I hope not, but that's the prevailing feeling.
It's quite problematic that someone can currently upload a package name belonging to another organization to the Play Store and that should have been stopped years ago since it was used in many cases for scamming and squatting on package names clearly belonging to others. Package names are meant to start with a reverse domain belonging to the owner such as app.grapheneos for our grapheneos.app domain. They could enforce this based on domains authorizing usage without enforcing ID verification and that's what we would have proposed.
This is one of the ways F-Droid has ignored standard best practices including security practices in a way that's already causing problems but is now a massive issue for them. If they had started doing things properly many years ago when it was first brought up, then they'd be in a much better situation today. They're going to need to deal with this by renaming all their package names to org.fdroid. to avoid issues with the proposed changes. This is problematic because existing users will stop getting updates. It's better to use a prefix than a suffix where a developer could end up changing their mind about whether it makes sense resulting in conflict over the name, which is fair since they still own it if it's their reverse domain.
I'd like to see, if it can be found, some anecdotes about the nuts and bolts of writing any kind of material intended to persuade in this way. How do they a/b test the formatting and so on.
Why is this acceptable for phones but would not for the case above?
I know a lot of people don't care, and that's ok, but we should root for an open choice for the users.