[HN Gopher] A theoretical way to circumvent Android developer ve...
___________________________________________________________________
A theoretical way to circumvent Android developer verification
Author : sleirsgoevy
Score : 42 points
Date : 2025-10-31 20:20 UTC (2 hours ago)
(HTM) web link (enaix.github.io)
(TXT) w3m dump (enaix.github.io)
| gruez wrote:
| Sounds like the UEFI shim loader that's signed by Microsoft but
| can load an arbitrary EFI executable (with some signing checks).
| The difference is that the UEFI shim loader is endorsed/condoned
| by Microsoft. What about Google? This seems easily patchable,
| ostensibly for "security purposes" (eg. disabling loading dynamic
| code).
| p_l wrote:
| Microsoft also forces manufacturers to provide an option to
| reset Platform Key aka SecureBoot "root of trust" key - which
| is supposed to be not possible in spec-compliant UEFI system.
|
| They don't do it out of goodness of their hearts, which is why
| it's more solid than relying on goodwill - Microsoft simply has
| an offering that _depends_ on that for certain high profile
| clients.
| XorNot wrote:
| I suspect it's also a defense against antitrust law suits -
| lock in was how they got sued for things circa Internet
| Explorer.
|
| Frankly they should still be getting sued for the way Edge
| and Cortana are bundled.
| asimops wrote:
| While it is technically feasible, it is not a good idea to try
| and find a technical solution to a people/organisation problem.
|
| Do not accept the premise of assholes.
|
| I hope we can get the EU to fund a truly open Android Fork. Maybe
| under some organisation similar to NL Labs.
|
| --- edit ---
|
| Furthermore, the need for a trustworthy binary to be auditable to
| a certain hash or something would make banning this a simple task
| if Google would want to go that route.
| thaumasiotes wrote:
| > I hope we can get the EU to fund a truly open Android Fork.
|
| How are things in the EU on whether it's legal to buy a SIM
| card without showing ID?
| jraph wrote:
| I'm confused, how are those two things related?
| peterhadlaw wrote:
| Nanny state
| vik0 wrote:
| More like surveillance state
| semolino wrote:
| The commenter you replied to was implying that the EU does
| not respect the privacy/freedom of mobile device users.
| remix2000 wrote:
| It is neither illegal nor hard to obtain such a prepaid SIM
| card.
| kube-system wrote:
| That very much depends on the country, many require ID.
| Kwpolska wrote:
| The ID presented at time of purchase does not have to be
| the ID of the actual user of the card. Your local
| drunkard will be happy to get $10 to buy a SIM card for
| you. Or you could visit eBay (or local equivalent) and
| get a valid SIM card without leaving your house.
| t_mann wrote:
| > verified loader apk, which in turn dynamically loads any apk
| the user wants
|
| Wasn't this kind of solution considered and sort of dismissed
| (because of too much centralization iirc) by F-Droid (can't find
| the reference now)? It seems like something that's worth trying,
| but in the end it's just a band-aid. If it gets any traction
| Google will shut it down. The real disease is dependence on a
| duopoly of (quasi)-proprietary OS for the dominant computing
| platform of our time.
| kevincox wrote:
| I see a handful of problems.
|
| 1. The loader will just get banned.
|
| 2. The application ID and permissions are that of the loader.
| To have different applications with separate data and
| permissions you would need multiple copies of the loader.
|
| 3. You miss out on other android security features such as
| application signing validation for updates.
| antiloper wrote:
| This will not work because the goal of android developer
| verification is to prevent running Google-sanctioned code. If you
| actually tried to publish this, Google will revoke the signature
| on the loader APK.
| NewJazz wrote:
| Ah yes sanctioned. A word that has two opposite meanings.
| zb3 wrote:
| Well, I'd rather verify myself with the government identity than
| accept a stock OS that literally woke me up with a fake message
| promoting Gemini despite me spending almost 2 hours turning every
| possible privacy-invasive setting off.
|
| To me, the attention to these verification changes seems
| misplaced. We need to defend the ability to unlock the
| bootloader, pressure Google to revive AOSP and then encourage
| people to switch to a more user-friendly OS.
|
| You're already unable to install what you want on a stock OS due
| to Android permission model treating you as a third-class
| citizen, after Google and OEMs.
| asimops wrote:
| In my opinion, the only solution while keeping Google and Apple
| as the developing entities is regulation.
|
| Despite that, there are some things that should not be for
| profit in my opinion. A good OS platform is one such thing.
| p1mrx wrote:
| I suggested this a couple months ago:
| https://news.ycombinator.com/item?id=45084296
|
| Android may ultimately win the arms race, but if they want to be
| evil, we should make their task as tedious as possible.
| neuroelectron wrote:
| Google doesn't need to make an argument to ban apps or
| developers.
| andrewcchen wrote:
| So like LiveContainer[1] which works around ios's signing
| requirements
|
| [1] https://github.com/LiveContainer/LiveContainer
___________________________________________________________________
(page generated 2025-10-31 23:00 UTC)