Android at a Crossroads: Security vs. Freedom in Google's New Policy
The Promise of Android
Computers are tools. As an adult, I pick my devices following arbitrary criteria to fulfill my needs. I have a notebook for programming, browsing the internet, checking mails, and related activities. For gaming, I built a whole rig. Both use different operating systems, different drivers and have different software installed as they follow different purposes.
Modern phones are computers. They outshadow even my gaming rig that I owned in 2005 and have their own operating systems which boil down to either Android or iOS, who de facto happen to be the only feasible options in today’s tech landscape.
Android’s original promise was freedom and openness. Unlike iOS, Android allowed users to install applications from outside the official store. This meant homebrew software, FOSS alternatives, and specialized applications that might not meet Google’s market criteria could still reach users. It was a key differentiator that gave users more control over their devices. The latest announcement by Google imply that those times will soon be over.
What’s the problem, really?
Google claims implementing developer verification is necessary to enhance security on your device. In theory, anonymous developers could trick you into installing malware on your phone. However, this reasoning has several flaws:
- Android already warns users when installing APKs from unknown sources with a clear security dialog.
- Google will not scan your app for malicious code once registered, making verification primarily about identity, not security.
- There is malware on the official Play Store despite Google’s oversight.
- Google delivers malicious code through ads on their own platforms.
As a developer, I know the tools and necessities to build and publish an APK. You set up your codebase, sooner or later involve Android Studio and provide your signing key to be used in the build process. You plug your phone into your PC, activate developer mode, move the built artifact to your phone, and finally launch it. Should anybody tamper with your code and distribute an alternative artifact, existing security measures will prevent its execution unless they manage to steal your signing key.
Latest by 2027, you won’t use your own key, but a key issued by Google.
Alternative Approaches Exist
What’s particularly frustrating is that there are better alternatives that could enhance security without centralizing control:
- Decentralized verification: Similar to how certificate authorities work for web security, Android could support multiple independent verification authorities.
- Open verification standards: The Linux ecosystem provides examples like the Ubuntu Software Center, which verifies software without requiring a single gatekeeper.
- Enhanced warnings: Instead of blocking installations, Google could improve their warning systems with more detailed risk information while still respecting user choice.
These alternatives would achieve the security goals while preserving the openness that makes Android distinct from iOS.
The Illusion of Custom ROM Freedom
Some might argue that custom ROMs will still provide freedom for tech-savvy users, but this argument misses a crucial point. Google has been steadily tightening its grip on the Android ecosystem through several mechanisms. SafetyNet and Play Integrity API are attestation services verifying if a device is running authorized software. Banking apps, payment services, and other sensitive applications refuse to run on devices that fail these checks.
Most mainstream apps rely on Google Play Services for core functionality. Without proper certification, custom ROMs can’t access these services, severely limiting their usefulness.
The technical ability to install custom software becomes meaningless if that software can’t access the ecosystem of apps and services that make a smartphone useful.
It’s not altruism
Android must enable 3rd party app stores. Apple got bent in that direction by the European Union, and Google has to follow. By forcing developer registration, they follow Apple’s footsteps that have already been approved as compliant.
Registration requires you to upload copies of official documents that confirm your identity and your address. You will need to accept the fact that your home address may be visible to the public. This will happen if your app involves any kind of payment. I would not be too surprised if this applied for all other apps as well in the future. All that to solve a problem that could be addressed through less invasive means. It’s an obvious data grab.
The bigger picture
There is a big elephant in the room, and its name is age verification. The European Union seems to have decided on putting both Google and Apple as gatekeepers to the World Wide Web for all EU citizens. This will ultimately put any non-authorized Android fork to death and will further take away the means to actually be in charge of a device I own. It’s common practice to install FOSS on end-of-life devices. Preventing that is sanctioned planned obsolescence as those devices will be rendered unusable.
This will bar you from your banking apps, digital government services, your authenticator applications, in short, anything that handles sensitive information unless you purchase a new phone.
All that because the European Union puts Google, known for targeting children with ads in charge of age verification, to protect said children from dangers of the internet. That’s exactly my kind of humor.
Balancing Security and Freedom
I acknowledge that security is important. Many users do need protection, and malicious software is a genuine threat. However, security and user freedom don’t need to be mutually exclusive. The best security systems protect users while still respecting their autonomy.
What’s concerning about Google’s approach is that it centralizes control rather than distributing trust. When a single entity controls both the platform and the verification process, users lose their agency. A better system would provide security guarantees while maintaining the user’s right to make informed choices about their devices.
Closing words
Android phones once had removable batteries, MicroSD card slots, headphone jacks, and physical buttons. With those new measurements taken, what prevents me from picking an iOS phone instead? They feel snappier and receive updates much longer.
Generally speaking, in the last decade I witnessed consumer products getting worse and hostile practice becoming the norm. Be it my phone, my TV, my Windows PC (that I threw out). Everything is centered towards delivering advertisement while options to shut certain things off disappear. The companies profiting seized the means of open source software and turned it against us while non-tech savvy people act uninterested or even ignorant.
What we need is not just better technology, but better governance of technology; systems that respect both security and freedom, rather than trading one for the other.