Google Will Allow Only Apps from Verified Developers to Be Installed on Android
Original: Google will allow only apps from verified developers to be installed on Android
Key topics
Official announcement 1: https://android-developers.googleblog.com/2025/08/elevating-...
Official announcement 2: https://developer.android.com/developer-verification
Play Console Help: https://support.google.com/googleplay/android-developer/answ...
Google is shaking up the Android ecosystem by introducing a new developer verification process, sparking a heated debate among users about the implications for sideloading apps, open-source development, and the overall openness of the platform. While some commenters, like jajuuka, argue that the new "hobbyist" account type won't hinder sideloading or require excessive paperwork, others, such as rep_wex and ohdeargodno, express concerns that it will stifle innovation and force developers to surrender their anonymity. As users like Zak and flawn lament the erosion of Android's customizability, others, like shadowgovt, warn that this move could backfire, driving users towards more restrictive alternatives like Apple. The discussion reveals a deep-seated tension between Google's desire for security and users' need for flexibility and autonomy.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
-2921s
Peak period
68
0-6h
Avg / period
20
Based on 160 loaded comments
Key moments
- 01Story posted
Aug 25, 2025 at 2:18 PM EDT
4 months ago
Step 01 - 02First comment
Aug 25, 2025 at 1:29 PM EDT
-2921s after posting
Step 02 - 03Peak activity
68 comments in 0-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 29, 2025 at 11:52 AM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
> Verify your identity
> * You will need to provide and verify your personal details, like your legal name, address, email address, and phone number. > * If you're registering as an organization, you'll also need to provide a D-U-N-S number and verify your organization's website. > * You may also need to upload official government ID.
Only one of those three applies to organizations.
>A note for student and hobbyist developers: we know your needs are different from commercial developers, so we’re creating a separate type of Android Developer Console account for you.
Nothing about it says anything about having lighter requirements, just not going through a Play Console link. Even if the requirements end up being "lighter", the minimum will always be at least "link a Google account", which is already a massive privacy breach.
> It also doesn't prevent you from side loading.
It absolutely does. Quoting from Google:
>Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices.
certified Android devices being... 99.9% of all Android devices in existence.
https://android-developers.googleblog.com/2025/08/elevating-...
It's not a massive privacy breach. If you are so anti-Google yet use their devices then most likely you're already only distributing to GrapheneOS or LineageOS anyway. For most people who already have a Google account this is a very small bar to clear.
Getting a DUNS number is ass, getting the 20 testers is ass, etc etc.
I do not want to give Google my government ID to write a shitty little app that only my family will use, or only close friends use and it gets sideloaded through sending it on chat. I do not want people making apps to skip ads on YouTube giving out their government ID. I do not want people making apps that might get them in trouble with their government to give out their government ID to Google.
We do not know yet who will be considered "hobbyist". I would say they might check the user base. When hitting app installation threshold for let say 1,000 users, they will force you to pass the full legal check. Otherwise they will start blocking any further installations.
They've been chipping away at this over the years. Safetynet was the first offense, but if they start restricting app installation from sources of my choice (I hate the term "sideloading"), there's not much advantage left.
Google is trying something which will be a net negative for everybody, instead of keeping this _massive_ USP that also keeps a core userbase. Might as well switch to iOS now, I don't have anything which keeps me on Android.
Personally: I don't use Apple because I like being able to whip together little apps to side-load without having to check in with a walled-garden mothership. If Google is going to move closer to Apple in that regard... Apple's UX ecosystem is better, so I have far fewer reason to keep using Android.
Damn the future sucks ass.
I think I'll look into what Android phones are out there that aren't glued to the Google Play ecosystem. Side-loading is still a feature the OS core supports even if Google switches it off (for now, and AFAIK the OS is forkable if they press the issue).
Alternatively, and that’s almost bullshit, the dumb phone trend continues and we might get devices like PDAs. Get a dumb phone and a small camera and then your PDA for everything that is essentially an app. Not sure what OS they’d run but I don’t see another way.
As long as they still allow running stuff inside of apps like that I will probably not abandon ship yet.
[1] https://news.ycombinator.com/item?id=41895718
GrapheneOS won't survive the next generation of devices because bootloader unlocking will also go away (https://news.ycombinator.com/item?id=44765939), and without kernel security updates that OS can't continue.
Now there's also no more sideloading, so what purpose does Android even serve anymore?
Can you download, build, and install a basic Android system these days without touching a single piece of closed code? Absolutely. Will it be able to do much without closed binaries? No.
Android isn't GNU/Linux where there's a general ethos of making everything in userland FOSS if at all possible. Rather, it's a free OS that both Google and manufacturers can do anything they want with, including shove a ton of spy and bloatware on it, then make it to where you can't get rid of those things, at least not easily.
The optimism from 15 years ago surrounding FOSS in the mobile space is on its deathbed.
Is it really doing anyone in FLOSS any favors if the projects are legally open but not practically?
I feel rooked on Android tbh. If the idea was to give large companies a free way to manage the hardware resources in SKUs that are competitors to the iPhone, yeah, it definitely accomplished that, but that makes it only a means to an end. It's not like GNU/Linux where there's any ethos to seriously change how software and services are delivered.
The comment in the thread you linked directly contradicts the claim that "bootloader unlocking will also go away".
Because Google-free AOSP-derived Android distributions are far more versatile, offer far more freedom, impose far fewer restrictions and tend to end up being far less expensive than whatever the fruit factory decides their dedicants have to use today. If Google goes the way of the fruit folks and AOSP no longer offers these freedoms the next step is not to surrender to the Church of Apple but to find a way to evade those restrictions.
iOS does a tremendous amount of data collection including for the usage of ads as per Apple's privacy policy. All the same types of data that stock Android collects, even.
You may believe Apple is a generally better steward of that data than Google, but using iOS does not reduce the amount of data being hoovered up in any meaningful capacity.
> Now there's also no more sideloading, so what purpose does Android even serve anymore?
I hate this change, but I still prefer Android. iOS is hardly perfect nor does it do everything better...
More info:
https://developer.android.com/developer-verification
https://support.google.com/googleplay/android-developer/answ...
Personally...we all know the Play Store is chock full of malicious garbage, so the verification requirements there don't do jack to protect users. The way I see it, this is nothing but a power grab, a way for Google to kill apps like Revanced for good. They'll just find some bullshit reason to suspend your developer account if you do something they don't like.
Every time I hear mentions of "safety" from the folks at Google, I'm reminded that there's a hidden Internet permission on Android that can neuter 95% of malicious apps. But it's hidden, apparently because keeping users from using it to block ads on apps is of greater concern to Google than keeping people safe.
> we will be confirming who the developer is, not reviewing the content of their app or where it came from
This is such an odd statement. I mean, surely they have to be willing to review the contents of apps at some point (if only to suspend the accounts of developers who are actually producing malware), or else this whole affair does nothing but introduce friction.
TFA had me believing that bypassing the restriction might've been possible by disabling Play Protect, but that doesn't seem to be the case since there aren't any mentions of it in the official info we've been given.
On the flip side, that's one less platform I care about supporting with my projects. We're down to just Linux and Windows if you're not willing to sell your soul (no, I will not be making a Google account) just for the right to develop for a certain platform.
https://developer.android.com/develop/connectivity/network-o...
It's been there since Android 1.0.
What's missing is a way for the user to deny it.
Google mostly doesn't let you deny permissions while running apps that require them; recently there's some permissions that you can pick at runtime. So it's not suprising that they don't let you deny this one, when they don't even show it in the store.
App page => "About this app" => "App permissions / See more" at the bottom of the page => look for "have full network access" in "Other"
The internet permission has nothing to do with ads? It's a hidden permission because:
1) Internet connection is so ubiquitous as to just be noise if displayed
2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
That doesn't make it any less useful.
> 2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar
I've heard claims that the Internet permission is flawed, yes, but I've never managed to find even a single PoC bypassing it. But even if it is flawed, don't you think Google would be a bit more incentivized to make the Internet permission work as expected if people could disable it?
Hey we were already on board with this, you don't have to convince us.
You could very specifically ban ACTION_VIEW intents for web URIs from apps without an internet permission I guess. But does banning apps from linking to the web (to be opened in browsers) really seem like a good idea?
That's also why there's a warning before installing really old apps, they may run with extra permissions.
and isn't it immediately apparent that the app is leaking data if your calculator is popping a webview?
Yes, this is a little suspicious. But you just have the evil page redirect to google.com or something benign. To the user it looks like "huh, chrome just opened on its own."
Calculator.apk wants to open the web page https://eviltracker.example.com. Allow this time? Allow for 24 hours? Allow and don't ask me again?
Doing this for all apps would be wild. Doing this just for those that don't request the internet permission just encourages more apps to request it (it is basically universally used anyway). "Huh, why does my calculator need internet" has never actually been effective at helping people avoid malware at any meaningful scale.
No it wouldn't, not at all.
90% of apps on your phone do not need to be apps. Facebook does not need to be an app. Instagram does not need to be an app.
This is a sober reminder that apps are executables code that is running on your phone with very little sandbox. Its not like a web browser.
We do not need to execute compiled binaries that are closed source to buy parking that one time. No, no we don't.
Why do we? Because as I've said - such apps are much more powerful than the web browser and can therefore be used as spyware or keyloggers. Most apps on Android, including most Google apps, can be regarded as spyware.
Companies don't want to give up their de facto malware they've built up, and now users are trained to just install whatever the fuck on their phone.
We have given software 1000x more permission than it needs to do want it does. And now, we sit back and complain about malware.
This starts with Google, this starts with Meta, this starts with big tech. They directly caused all this malware by forcing users into downloading executables so they can exfiltrate your key presses.
Because it is obvious. Just open a web browser.
More details here: https://old.reddit.com/r/androiddev/comments/ci4tdq/were_on_...
The main thing this permission would be used for would be blocking ads. Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
This permission has existed for longer than runtime permissions. You have never been able to revoke it, it was just something you agreed to when you installed the app or you didn't install the app.
It was "removed" in that era because if every app requests the same permission, then nobody cares about it anymore. When every app asks for the same thing, users stop paying attention to it. So no, it had fuck all to do with ads because that was never a thing in the first place. And ad blocking doesn't require this permission, either.
> Also distinguishing shitty apps that are full of ads from those that aren't. If there is a calculator that needs Internet and one that doesn't, which one are you going to use?
You can still use it for this. Apps are required to declare the permission still, it's listed on the Play Store under the "permissions" section. Similarly the OS reports the same thing. Presumably F-droid or whatever else also has a list of permissions before you install, and it'll be listed there.
Although Google's own Calculator app requires Internet permission. Take that for what's it worth.
I just tend to give Google little benefit of the doubt here, considering where their revenue comes from. Same as when they introduced manifest v3, ostensibly for security but just conveniently happening to neuter adblocking. Disabling access to the internet permission for apps aligns with their profit motive.
That's not even a little bit true? There's a ton of 'normal' permissions, almost none of which are user-overrideable. Like, say, android.permission.VIBRATE. Or android.permission.GET_PACKAGE_SIZE. Android has an obscene number of permissions ( https://developer.android.com/reference/android/Manifest.per... ) and almost none of them have a UI to control them nor any ability to be rejected
> It is an obvious win for an advertising/surveillance company like Google. What is wack about it?
How, exactly? How does Google benefit from random 3p apps having Internet access? And remember, Google has play services on every device to proxy anything it needs/wants.
So rather than just dismissing the argument via insulting language, can you provide a reasonable alternative explanation for why this setting isn't exposed to the user?
And I did provide 2 reasons why that's the case for Internet specifically, neither of which were even attempted to be refuted in this comment chain
Some chinese skins do offer the ability to revoke internet access for apps. I wonder why the western ones don't?
I pretty solidly refuted your first reason (internet connection is ubiquitious, apps don't need it). I pointed out that there are whole categories of apps that don't need a network connection. You never bothered to refute my argument and are now claiming that I didn't address that point. You claim it is a 'ubiquitous' permission, but haven't said why a level sensor app that just reads the MEMS gyro sensor would need a network connection at all. So that's point 1 sorted, which I already addressed and you are pretending wasn't refuted.
Point 2 was "2) It's not robust, apps without Internet permission can still exfiltrate data relatively easily by bouncing off of other apps using Intents and similar"
I never addressed this, because it seemed extraneous to the discussion. This data exfiltration is purely a hypothetical at this point, since apps can always rely on a network connection. Sure, if the network setting was exposed to the user and was able to be toggled, there might be ways to bypass that. But that is hypothetical, and relies on hypothetical security loopholes. No apps are currently doing this, since apps can't have their network permissions toggled. The possibility of potentially bypassing the system network permission toggle doesn't seem germane, since it's a hypothetical. To use your words, it's a 'whack-ass conspiracy theory' and not a germane concern.
You've resorted to ad-hominem by insinuating that my viewpoint as a conspiracy theory and haven't even attempted to address my point that there are whole categories of apps that don't need network connections. You also are trying to claim that I haven't addressed points you made, while ignoring my argument that rebutted those claims. I'm sorry, but since you want to engage in this way,why are you so addicted to the taste of Google boot leather? Why are you trying to say that Google doesn't want to protect its ad network? Android apps using Google adsense to serve ads to users clearly benefits them, I don't even see why this is controversial.
I mean, would you chop off your own foot? No? Then we should all be in agreeance. Google is definitely forcing network permission for every app to maximize their ad revenue.
Requiring company verification helps against some app pretending to be made by a legitimate institution, e.g. your bank.
Requiring public key registration for package name protects against package modification with malware. Typical issue - I want to download an app that's not on available "in my country" - because I'm on a holiday and want to try some local app, but my "play store country" is tied to my credit card and the developer only made it available in his own country thinking it would be useless for foreigners. I usually try to download it from APKMirror. APKMirror tries to do signature verification. But I may not find it on APKMirror but only on some sketchy site. The sketchy site may not do any signature verification so I can't be sure that I downloaded an original unmodified APK instead of the original APK injected with some malware.
Both of these can be done without actually scanning the package contents. They are essentially just equivalents of EV SSL certificates and DANE/TLSA from TLS world.
The solution here is just to get rid of artificial country limitations which make some users download APKs. None of those make sense in the online world anyways.
You've never needed the internet permission to exfiltrate data. Just send an intent to the browser app to load a page owned by the attacker with the data to be exfilled in the query parameters.
And of course basically every app requires internet permissions for ordinary behavior. The world where an explicit internet permission would somehow get somebody to look askance at some malware that they were about to download is just not believable.
https://www.bitdefender.com/en-us/blog/hotforsecurity/hacker...
Sure. It’s also not Google’s problem.
It’s not Victorinox’s problem of someone uses a Swiss Army knife to cut someone else. It’s not Toyota’s problem if someone deliberately runs over a pedestrian.
If they don't do that then their reputation will suffer and governments might take notice. So, in practice, big companies do have to care about their users, not individually but in aggregate.
This is like a car manufacturer preventing the installation of all unapproved aftermarket accessories by claiming they're protecting you from a stalker installing a tracker on your car.
Didn't Kia go over a decade without caring or improving until the Kia Boys stuff?
1. Most users do not use fdroid or APKs to download software. They download software from the play store.
2. Therefore almost all malware will target the play store.
3. Therefore most malware actively used comes from the play store.
4. Compounded, the play store does almost nothing to prevent malware and actively encourages certain types of malware like spyware and adware.
5. Compounded, Google gets a cut from each piece of malware sold on the play store or advertised on the play store, therefore they have no incentive to prevent malware in any significant way.
This isn't necessarily true even if you're right on all the other points. Even if most malware is on the Play Store, it can still be true that, out of the Android users that DO get malware (or rather, those that actually report malware to Google), most of them got it from outside the Play Store.
It can be true that a minority of users get any malware at all because Play Store is safe, but most users in that minority get malware because they are open to using apps from outside Play Store.
If Google is making this change in service of safety, they would protect a large chunk of that minority, by verifying apps downloaded outside Play Store. If it's necessary for Google to help these users, this change is not "completely unnecessary".
That's still security, albeit an entirely different threat model.
Of that they still refuse to sandbox the play store.
It's easy to see that there's a pattern on what they are copying from GrapheneOS.
It's absolutely essential that Google Play Services have "root" permissions and circumvent the permissions system normal apps have. How else would Google have access to all of your data? :)
Still an awful solution that will get bypassed easily, of course. But there's more to this than "Google decided to be a bunch of dicks today".
A lot of people are pretending there is no malware problem and that Google should just do nothing and move on. That's not helpful.
This bullshit needs to be aborted as soon as possible, but a solution for mobile malware is desperately needed. The crutch used on desktop, invasive antivirus, doesn't work on Android unless it comes from the OS manufacturer, so we need a new solution.
https://www.electronforge.io/guides/code-signing/code-signin...
It’s something possible only on grapheneos as far as I know.
I don't think we can know for sure before the change is actually in place. Going through Play Protect would certainly be the easiest way of implementing this - it would be a simple change from "Play Protect rejects known malware" to "Play Protect rejects any app that isn't properly notarized". This would narrowly address the issue where the existing malware checks are made ineffective by pushing some new variant of the malicious app with a different package id.
It's a big change for the ecosystem nonetheless because it will require all existing developers to register for verification if they want to publish a "legit" app that won't be rejected by any common Android device - and the phrasing of the official announcements accurately reflects this. But this says nothing much as of yet about whether power users will be allowed to proactively disable these checks (just like they can turn off Play Protect today, even though very few people do so in practice).
Yes, there are apps out there that try to trick the system and when you use them, instead of looking innocent, it's actually a casino app or something. But Google usually finds those. Are there any apps impersonating a bank? Because that is what regular people care about & think of when someone says "malicious".
They don't care if an app tracks what other apps are installed, what the user taps on, etc. Arguably they should care, but they don't lose money from it.
To be honest, it almost makes me wonder if the issue here is not related to security at all. I am not being sarcastic. What I mean is, maybe the issue revolves around some of the issue MS had with github ( sanctions and KYC checks ).
Ah, then I guess everything is fine. I'm sure they aren't in favour because it gives governments greater control over what apps we're allowed to have on our phones. That would be absurd.
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial (07 Feb 2024)
— https://www.channelnewsasia.com/singapore/google-android-dev...
It makes total sense to the average person. There has been a constant stream of “yet another Android user got scammed out of their life savings because of Android side loading; iPhone users not affected”
It’s an inconvenient fact for power users, but side loading makes users significantly more vulnerable to scams and restricting side loading is both a predictable and reasonable response to that fact.
If you don’t like this, you need a better argument than “my desire to run any app I want is more important than pensioners losing their life savings” because that is not a winning argument with the average person, with governments, or with Google/Apple.
— https://news.ycombinator.com/item?id=44194034
> As I’ve mentioned here before, sideloading is a genuine security concern, not merely an excuse for Apple to exert control. There is a never-ending stream of people losing their life savings. It happens on Android and not iOS because Android allows sideloading and iOS doesn’t. There is a very real human cost to this.
> Police warn new Android malware scam can factory reset phones; over S$10 million lost in first half of 2023
> There have been more than 750 cases of victims downloading the malware into their phones in the first half of 2023, with losses of at least S$10 million (US$7.3 million).
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> DBS, UOB become latest banks to restrict access if unverified apps are found on customers' phones
> They are the latest banks in Singapore to do so – after OCBC and Citibank – amid a spate of malware scams targeting users of Android devices.
— https://www.channelnewsasia.com/singapore/dbs-uob-anti-scam-...
> 74-year-old man loses $70k after downloading third-party app to buy Peking duck
> “I couldn’t believe the news. I thought: Why am I so stupid? I was so angry at myself for being cheated of my life savings. My family is frustrated and I ended up quarrelling with my wife,” said Mr Loh, who has three children.
— https://www.straitstimes.com/singapore/74-year-old-man-loses...
> Singapore Android users to be blocked from installing certain unverified apps as part of anti-scam trial
> "Based on our analysis of major fraud malware families that exploit these sensitive runtime permissions, we found that over 95 per cent of installations came from internet-sideloading sources," it added.
— https://www.channelnewsasia.com/business/anduril-secures-305...
> CNA Explains: Are Android devices more prone to malware and how do you protect yourself from scams?
> Why are scammers more likely to target Android users? How do you spot a fake app and what should you do if your device is infected by malware?
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Nearly 2,000 victims fell for Android malware scams, at least S$34.1 million lost in 2023
> In 2023, about 1,899 cases of Android malware scams were reported in Singapore. The average amount lost was about S$17,960.
— https://www.channelnewsasia.com/singapore/android-malware-sc...
> Android users in Singapore tried to install unverified apps nearly 900,000 times in past 6 months
> These attempts were blocked by a security feature rolled out by Google six months ago as part of a trial to better protect users against malware scams, which led to at least S$34.1 million (US$25.8 million) in losses last year with about 1,900 cases reported.
— https://www.channelnewsasia.com/singapore/android-users-inst...
https://news.ycombinator.com/item?id=44194034
I didn’t notice that Hacker News had truncated the URLs for display. You can get to the articles by following the links in the original comment.
> You are aware that it's not the app store that protects you, but the sandboxing?
Both protect you.
> Are these impersonation vectors, ie phishing?
It’s a variety of things. Some use accessibility hooks to act as key loggers. Some seem to use exploits. Some are phishing by impersonating other apps.
However moving to a whitelist system I think is counterproductive. Especially when Google is the only one with the power to edit that list. There is a reason Microsoft or Apple never went down this route in the name of security. It's just too much of a burden on them and it hinders power users, hobbyists, and small developers. Cases where one might want to keep their identity to themselves are edge cases but they are VERY important edge cases.
F-Droid is a massive win for the mobile ecosystem, probably the last bastion of useful free software for mobile devices. Being able to build an APK at home and run it on my phone is the ideal way computers should be used. But you can't put a price on these freedoms.
You're advocating for a system that removes the least abusive app store so we can hand more control to the most abusive app store. I can't support that, especially when it's glaringly obvious that walled app store are neither necessary nor sufficient to provide safety for users.
We can't be handwringing about safety right now, because our right to free speech and to protest are at stake. Our democracies are at stake here.
This is a completely made up and hallucinated problem. I will not mince words - this is a blatant attempt at deception.
We do not need to block sideloading to:
1. Stop malicious apps (does nothing)
2. Stop users from side loading
If we want to stop sideloading, we can simply introduce an arduous process to enable side loading. For example - consider turning on ADB. Do we vaporize ADB? No, because that's fucking stupid.
But now when it comes to apps, that little nugget of information is suddenly conveniently not considered.
In my case I keep a copy of K9 Mail 5.6 with the original UI (the reason I choose K9) and I sideload it to every device of mine. I'm afraid that I'll have to register an account and what, claim that that K9 is mine?
-- Apologies for my brevity.... --
It's so fundamentally depressing, and completely at odds with how I grew up viewing tech.
We're being pushed a message that we're all impotent but the reality is that collectively we can change things, and apathy is exactly what these people try to push onto us.
Things get worse but there are also good laws being pushed: see for example digital markets act and GDPR. 2008 when I started using Linux, gaming on Linux was horrible. Now it's day and night, and linux, while still small, is more popular and usable than ever. Recently alternative social medias like Bluesky, and Mastodon enable more open ecosystems and they've gained a lot of traction.
Android has alternative ecosystems like F-Droid and GrapheneOS that can be built upon and hopefully we can get it to a point where we can ditch Google. We need to keep up the fight.
Sweet talk and online activism is great, but the TLDR is always open-source developers need money to work.
If this actually goes through, there will be no option in the mobile OS market for an OS that both:
a) allows the installation of apps without any contractual relationship with any party, and
b) allows the use of mainstream and secure apps like banking
If anything, they'd eventually deny access from desktop, forcing everyone to login via the fully manages mobile devices without any user freedom.
Some banks are already getting there btw, as their preferred 2fa is a companion app... One small step away from making that the only option, effectively denying access to anyone without a locked down mobile device.
What are you doing that you need to use your banking app daily?
It seems like a once a month affair. Pay the bills, take some cash out of the account, and you're done. Online shopping just needs a credit card, no apps required.
The app is required for two-factor authentication.
I requested it after they updated their Android app to have a check for pin-code enablement. Sailfish OS doesn't report it via the Android AppSupport system, so it was blocked before I grabbed an older build via Aurora and disabled it from updating. If it ever stops working, I'll only use the token. Once that stops working, I will switch banks.
Any limitations to access to banking is serious f**ed. Makes me want to use cash.
And I have to agree, sadly. We've been inching towards that over the years, and it's entirely possible banks cease providing regular web access to their accounts (which this would necessitate).
But I think there will always be at least some banks that will have web frontend, so you'll just have to be pickier.
When I complained repeately that this was forcing me into an American or Chinese ecosystem, they said that no one cares and I'm a minority :-(.
For the desktop, you need the phone for the 2FA.
You can apply for an HSBC Global Money Account if you have: […] The HSBC UK Mobile Banking app (Global Money is only available via the app)
From https://www.hsbc.co.uk/current-accounts/products/global-mone...
Thankfully I don't actually rely on PayPal for anything serious, but there are artists whose commission I like to pay, and being able to actually pay them would be nice. :/
Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you
Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.
I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.
One huge fear I have no is breaking my phone while away from home and getting locked out of everything.
I was on vacation several years ago and broke my phone (the only time I’ve ever done that), and got lucky in several ways. I had a 2nd work phone with me. I was able to use that to call an Uber to get to an Apple Store; I was lucky to be in a city with an Apple Store. Then I got lucky again that I was able to talk Apple into giving me a replacement right there instead of a repair, they happened to have a single phone in stock to do that with. Then I got lucky yet again when I went to set it up, because I had an iPad with me by dumb luck, which was able to do my Apple 2FA that I didn’t sign up for.
If I go somewhere with just my 1 phone and no second device… I’m thinking I need to setup and bring a bunch of recovery codes, which has its own risks. My plan would be to cryptically write them down and put them in a money belt, as if those got into the wrong hands I’d be screwed.
I really don’t know what people do who only have a phone and nothing else. It seems they would always have this risk.
I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.
WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...
that's not really an artificial limitation but a design choice. They don't store your messages, only deliver them. Once the message is on your device, it's gone from their servers, like old POP3 mail.
More and more locked down devices, Android source releases only being published once a year, device drivers for reference devices disappearing, and now, verification of all your software for your "security". The war on general computing is well and truly on.
What the absolute fuck.
2170 more comments available on Hacker News