Android, Google’s mobile platform, declared on August 25 that it will mandate all app developers to authenticate their identity with the company before their applications can operate on “certified android devices.”
While this may appear to be a straightforward policy from Google, this new requirement is not merely going to be enforced for apps acquired from the Google Play store, but for all applications, including those “side loaded” — installed directly on devices bypassing the Google Play store. Such apps can be located on platforms like Github or project websites and installed on Android devices directly by downloading the installation packets (known as APKs).
This indicates that if there exists an application that Google disapproves of, whether due to non-compliance with its rules, politics, or economic motives, they can simply prevent you from using that application on your personal device. They are restricting Android devices from executing applications outside their control. The demand? Every developer, irrespective of whether they submit their apps via the Play store or not, must provide their personal details to Google.
This decision raises the issue: if you cannot operate any app you desire on your device without Google’s consent, is it truly your device? How would you react if Windows decided you could solely install software from the Microsoft app store?
This development has of course attracted attention in technology and cybersecurity outlets, causing significant controversy due to its serious implications for the open and free internet. For years, Android has been celebrated as an open-source operating system, and through this approach has achieved widespread adoption globally, especially in emerging markets where Apple’s “walled garden” model and premium devices are financially inaccessible.
This new guideline will enforce stricter regulations over apps and their developers, jeopardizing the freedom to run any software you wish on your device in a highly insidious and legalistic fashion. Given Google’s influence over the Android ecosystem, the repercussions of this policy are likely to be experienced by a vast majority of users and devices worldwide.
Android defends the policy alteration citing concerns regarding the cybersecurity of its users. Malicious apps side-loaded onto devices have resulted in “over 50 times more malware,” Android asserts in their announcement post. As a measure of “accountability,” and with the guidance of various governments globally, Android has resolved to adopt a “balanced approach,” and the terminology couldn’t be more Orwellian.
“Those who would surrender essential Liberty, to acquire a bit of temporary Safety, deserve neither Liberty nor Safety” – Benjamin Franklin
To put it simply, Google is aiming to gather the personal details of software developers, consolidating it in its data centers alongside all of its users’, in order to “safeguard” users from hackers that Google hasn’t managed to curtail in the first place.
After all, if Google and Android could genuinely keep personal user data secure from the outset, this wouldn’t be an issue, right?
Google’s answer to data breaches is to amass more user data, ironically, in this instance the information of developers utilizing the Android platform. A remarkable leap in reasoning, lazy and fundamentally misguided, indicating that they’ve lost their edge and arguably completely disregarded their now-removed “don’t be evil” motto.
Information Desires To Be Free
The truth is that Google finds itself ensnared by a dilemma inherent in the nature of information and the digital realm, echoing the 90’s cypherpunk Stewart Brand, “information almost desires to be free”.
Every transit that personal data, such as your name, face, home address, or social security number, makes throughout the internet presents an opportunity for it to be duplicated and leaked. As your data travels from your phone, to a server in your city, to another server in a Google data center, each hop escalates the possibility of your information being hacked and landing on the dark web for sale. A challenging dilemma when user data is the primary revenue model of a colossal entity like Google who processes and sells it to advertisers who in turn formulate targeted ads.
We can assess the accuracy of Brand’s information principle by examining two intriguing statistics, which surprisingly, not many people seem to discuss. Firstly, the astounding number of data breaches that have occurred in the last two decades. For instance, the Equifax Data Breach in 2017, impacted 147 million Americans, and the National Public Data Breach of 2024 affected over 200 million Americans resulting in leaked information including social security numbers which likely ended up for sale on the dark web.
Similarly, legendary breaches like that of the Office of Personnel Management of the U.S. government compromised a vast amount of U.S. Government officials’ data, spanning from social security numbers to medical records.
It is not an overstatement to state that a significant portion of Americans have had their data hacked and leaked already, and there’s no straightforward way to reverse that. How can one alter their face, medical history, or social security number, after all?
The second statistic, which seems to evade connection to the first, is the increase in identity theft and fraud within the United States. Were you aware that in 2012, identity theft amounting to 24 billion dollars was reported? Twice that of all other types of theft combined in that same year. Business Insider reported at the time, referring to Bureau of Justice statistics, that “identity theft cost Americans $24.7 billion in 2012, while losses for household burglary, motor vehicle theft, and property theft accumulated to just $14 billion.” Eight years later, that figure doubled, costing Americans $56 billion in losses in 2020. Both of these trends are still escalating today. It may very well be too late for the old identity system which we still depend upon so heavily.
Generative AI exacerbates the situation, in some instances trained with leaked user data, with models capable of creating high-quality images of individuals holding counterfeit IDs. As AI keeps evolving, it is increasingly able to deceive humans into believing they are conversing with another individual, rather than a robot, creating new vectors for identity fraud and theft.
Nonetheless, Google maintains that if we merely collect a bit more personal user information, perhaps then the problem will simply dissipate. Convenient for a corporation whose primary business model hinges on the accumulation and sale of such data. Has any other corporation inflicted more harm on civilian privacy than Google, by the way? Perhaps Facebook.
In Cryptography We Trust
To be fair to the 2000’s Web2 tech giants, the challenge of secure identity in the digital era is not a straightforward one to address. The legal frameworks of our societies
“`html
Concerns regarding identity were established long before the internet came into existence and transitioned all that information to the cloud. The only genuine remedy to this dilemma now lies in cryptography, and its implementation in the trust that individuals cultivate in their interactions in the physical world over time.
The cypherpunks of the 90s recognized this, which is why they developed two key technologies, PGP and webs of trust.
PGP
PGP, created in 1991 by Phill Zimmerman, pioneered the application of asymmetric cryptography to tackle the essential issue of safeguarding user data privacy while also allowing for secure user authentication, identification, and communication.
How? It’s quite straightforward, by employing cryptography in a manner akin to how Bitcoin secures over a trillion dollars in value today. You possess a secure ‘password’ and maintain its confidentiality, you do not disclose it to anyone, and your applications utilize it judiciously to access services, yet the password never departs from your phone. This method is feasible, effective, and there’s specialized hardware designed specifically to safeguard such information. The entity you wish to connect with also establishes a secure ‘password’, which enables both parties to produce a public address or digital pseudonymous ID.
The organization encodes a message using their password and your public address and sends it to you. Thanks to the wonders of cryptography, you can decrypt that message with your password and the company’s public address. That is all that is necessary to secure the internet. These public IDs do not have to expose any personal information about you, and you could possess one for each brand or identity you maintain online.
Webs Of Trust
However, there’s also the matter of reputation; how can you ascertain that the organization you are attempting to connect with is indeed who they claim to be? In cybersecurity, this is referred to as a man-in-the-middle attack, where a nefarious third party impersonates the entity you genuinely wish to connect to.
The method cypherpunks utilized in the 90s to address this issue was through the creation of webs of trust, facilitated by real-world gatherings known as ‘signing parties’.
When we meet face-to-face, we establish mutual trust or reaffirm that we already know and trust each other sufficiently to endorse each other’s public IDs. We effectively provide each other a cryptographic vote of confidence – so to speak – weighed by our brand or publicly known identity. This is akin to following someone on a public platform like X.com, representing the PGP analogy of stating ‘I’ve met Bob, I recognize XYZ as his public ID, and I confirm he is bona fide’.
While this may appear cumbersome, outdated, and seemingly incapable of scaling to a global level, technology has progressed remarkably since the 90s; indeed, this fundamental principle is how the internet is somewhat secured today.
Recall that green padlock once displayed on every website? That was a PGP-like cryptographic handshake between your device and the site you were visiting, validated by some ‘certificate authority’ or third party found online. Those certificate authorities evolved into centralized stewards of public trust and, like many other institutions today, probably require decentralization.
The same reasoning can be applied to the verification and authentication of APKs by enhancing webs of trust. In fact, within the open-source realm, software is hashed into a unique ID derived from its data, and that hash is signed by developer PGP keys even now. The software hashes, PGP public IDs, and signatures are all made available alongside the software for individuals to inspect and verify.
However, if you cannot confirm whether a PGP public ID is legitimate, then the signature holds little value, as it could have been generated by an impersonator online. Thus, as users, we require a link that authenticates that public ID as belonging to the genuine developer of the application.
The good news is this issue can likely be resolved without establishing a global surveillance state that hands over all our data to the Googles of the world.
For instance, if I wished to download an application from a developer in Eastern Europe, I probably wouldn’t know him or be able to verify this public ID, but perhaps I know someone who vouches for someone connected to this developer. Even if I am three or four connections away from this individual, the chances of their authenticity increase significantly. Faking three or four connections within a web of trust is highly costly for mercenary hackers aiming for a quick victory.
Unfortunately, these technologies haven’t been widely embraced, beyond the high-tech paranoid circles, nor have they received as much investment as the data mining business model prevalent across much of the internet.
MODERN SOLUTIONS
Several contemporary software projects recognize this logic and are endeavoring to tackle the prevailing issues, facilitating users to utilize and expand cryptographic webs of trust. Zapstore.dev, for instance, is constructing an alternative application store secured by cryptographic webs of trust employing Bitcoin-compatible cryptography; the initiative is backed by OpenSats, a nonprofit that supports open-source Bitcoin-related software development.
Graphene, an Android operating system fork that has gained popularity among cybersecurity enthusiasts, has also established an alternative app store that addresses many of these challenges without requiring DOX of app developers, and serves as a high-security operating system, aiming to resolve numerous privacy and security concerns currently faced by Android.
As improbable as it may seem, cryptographic authentication of communication channels and digital identities is the only method that can safeguard us from personal data breaches. The unpredictability and security derived from randomness through cryptography are the only aspects that AI cannot replicate. That same cryptography can assist us in verifying our identities in the digital age without necessitating the disclosure of our personal information to every intermediary, if employed correctly.
Whether this new policy by Android will endure or whether sufficient public backlash can halt it, leading to better solutions being popularized and embraced, remains to be observed; however, the reality is evident. A more effective path exists; we just have to recognize and choose it.
Source link
“`