@haskal Security Man says forced obsolescence is about Security. Who cares that it means people need to buy way more hardware? I mean, those lazy application developers need to upgrade their shit. Nonono, don't blame Google for forking the shit out of Linux and encouraging rampant GPL violation by their hardware partners. Google's boots taste too good for Security Man!

@be @haskal Yeah I agree that failing to meet min SDK version reqs shouldn't result in being booted off the store. I do think that the store should allow users to filter apps below a given API level somehow. This could promote good security practices for those with the appropriate threat model *without* shafting people with older devices.

The main culprit wrt planned obsolescence is the device vendors who don't support devices longer than a given number of years, and don't upstream anything or have a community support program to allow development to continue after the end of an official support period.

Basically right now I have to choose between a malware fest (Google Play) where I have to be vigilant and check each app, or F-Droid where I check each app's SDK version and up-to-date-ness myself. It should be possible to combine the benefits of both without the drawbacks; I linked Accrescent as a possible example.

@Seirdy @haskal Google could pressure hardware vendors to get their shit together if they wanted.

@be @haskal Google should pressure *more*. They've pressured a little by using the carrot; it's time for the stick.

@be @haskal in which Seirdy says "selfish investor-backed company should please be selfless for a minute kthx" and expects literally anything to happen.

@Seirdy @haskal I don't think cleaning up the mess of Android wouldn't benefit Google. But apparently it isn't a big enough benefit to upset their business partners.

@Seirdy @haskal If Google denied Android certification to vendors that didn't upstream their drivers, I think this shitshow would clean up real fast.

@be @haskal Agreed. They could even do one of those roll-out plans they're such a fan of: by one quarter, the devices would lose support from Google Pay; by another, the Play Store; etc.

@Seirdy @haskal Though that may require Google getting their shit together and not giving vendors a starting point of a giant outdated fork of Linux.

@be @haskal > a starting point of a giant outdated fork of Linux.

Outdated forks of Linux are a problem in the Android vendor ecosystem. I think I get what you're saying but I'm not sure I agree with this particular phrasing.

Lots of Linux security improvements actually start in Android; the upstream AOSP is not exactly "behind" on security compared to upstream Linux. There are lots of other reasons to hate Google.

The problem isn't the AOSP kernel, it's the GPL-loopholing that encourages unmaintained forks.

@Seirdy @haskal IIUC by the time AOSP gets to vendors, the vendors are already starting with a Linux fork that is a few years outdated. That's a bad way to start working on a driver if you want to upstream the driver.

@haskal "open-source apps aren’t necessarily more private or secure. Instead, you should rely on the strong security and privacy guarantees provided by a modern operating system with a robust sandboxing/permission model, namely modern Android, GrapheneOS and iOS."

So, trust your proprietary operating system (bad idea) to deal with your lack of trust in the developers of the applications you use... instead of, you know, just trusting the application developers?? 🙃

@haskal Don't get me wrong, sandboxing applications is generally good. But relying on that in lieu of trusting application developers is a technological solution to a social problem.

@haskal Come to think of it, aren't all technological security measures technological solutions to social problems?

@be @haskal like 2FA is a technical measure for the social problem of some asshat trying to get access to your account.

@be @haskal iOS is proprietary; AOSP and GrapheneOS aren’t.

That being said, you shouldn’t have to trust either way. Tools including something like a packet sniffer should ideally be simple enough for everyone to use to know when an app requests network permission, and where it connects. Users worried about telemetry should be able to just deny network access instead of trusting anyone. That’s honestly a lot easier than looking at the repo for each app.

I thing FLOSS is essential for many reasons; at the same time, the best way to verify what a program does when you run it is to…run it.

The black-box and white-box approaches to securing a device are not mutually exclusive; they complement each other.

@be @haskal
"Backward compatibility is often the enemy of security, and while there’s a middle-ground for convenience and obsolescence, it shouldn’t be exaggerated. (...) the main repository of F-Droid is filled with obsolete apps from another era (...). Let’s not make the same mistake as the desktop platforms: instead, complain to your vendors for selling devices with no decent OS/firmware support."

"instead, complain to your vendors"

WTF. How naive can a person be?

@haskal also "incentivising != mandating". maybe a badge or something idk

@Sandra @haskal There's Cydia/Sileo/Zebra/etc but you need to be jailbroken and many tweaks/apps are closed source.

@haskal @easrng Oh, I was specifically looking for open source apps! I've got a friend with Xcode who compiles some stuff for me but it's difficult to find good open source apps. Maybe there is an "awesome" list out there.

@Sandra @haskal Yeah, the apps I mentioned are iOS equivalents of F-Droid-the-app, not F-Droid-the-repo. It's been a while since I've done iOS things so I'm not sure if there are any good open source only repos.

@Sandra @easrng @haskal That's because Apple is actively hostile to it. You can't publish GPL licensed applications on the iOS App Store without every contributor to the code agreeing to a special exception to the GPL. Apple's terms explicitly say you can't distribute the application outside of their app store among other ridiculous restrictions which are incompatible with the GPL.

@Sandra @easrng @haskal Developers also have to pay a $100 per year ransom to distribute iOS applications. So yeah, most open source developers don't bother.

@be
"Apple's terms explicitly say you can't distribute the application outside of their app store" But there are some apps that do have git repos up.

@Sandra It's questionable whether that's legal.

@be for example @delta ♥♥♥

@meena @haskal Is the Aurora Store known for malware?

@Shredd_Tone @haskal the Aurora Store is an alternative access to the Google Play store

(There's also Aurora Droid — and alternative access to the F-Droid itself!)

@meena @haskal I see. I know the Aurora Store informs the user with what trackers can be found on "their" apps. I guess I never considered the malware on them. It was still better than downloading an apk from a random website and installing, I think. Good thing I switched to Ubuntu Touch.