Our company just got a warning that we have sixty days to release something on Play or have our developer console account closed. The email made it pretty clear that Google wants developers to continuously push new versions to customers. We have no new features nor bug fixes in backlog. There is nothing to update.
The only purpose of our software is to control hardware that our company makes. Nobody uses it for fun, they use it because they have to. If I had a say, I'd automate even larger parts of the customer workflow.
(Yes, at first we released a mobile PWA but ran into limitations related to push notifications and MDM support. We then created the native app, but our customers cannot remotely load APKs not signed by Google).
You can update the version number and re-release. I think this may grant also adding the update note "Updated version number. Nothing else. Thank you Google".
That works if meanwhile Google hasn't decided to increase the target api level requirements [1]. In that case you may not be able to just republish the app, and extensive refactoring may be necessary.
Forcing apps using old sdks out of the app store is probably the main reason they do this.
That is only really necessary if your app is using old privacy or security problematic APIs.
Which is usually the root cause of this complaining - "why do I have to refactor my app so it won't demand access to all private photos and documents anymore?!"
Who actually asked for this? It's been nothing but a pointless nuisance to me as a user. Samsung complains at me if I choose to give an app persistent GPS access, in the rare occasion it even lets me. I want my programs to do as much as possible, not be hamstrung.
There’s a few apps where I want to grant broad permissions from the outset, but generally that’s not what I want, especially when it comes to photos, contacts, etc. In most cases there’s no benefit whatsoever to granting e.g. access to my entire photo library and it seriously irritates me to see apps insist on said access.
In fact if I had my way, I’d never see a prompt and permissions would default to “only selected” (collections) and “no access” (location, wifi, etc), with the handful of exceptions having access granted manually.
I gave Telegram access to only a few photos, and it pops up the "give me more access" dialog EVERY SINGLE TIME I open it. Not when I want to send a photo, every time I open the app!
My new startup idea: malicious compliance as a service
You forward us complaint emails and we create some AI slopscript that fulfils the least compliant interpretation of the rule it can think of.
The goal would be to use automated nonsense to try to frustrate MBAs who have managed to burrow all the way to the brain of a tech giant and are now burdening humanity with their folly.
Now I’m envisioning a future where nothing works and everything is halted endlessly because it is being handled by LLMs talking to LLMs, which summarize things so that other LLMs make a decision that gets expanded to a huge text with inconsistencies that in the end don’t make sense anymore.
> You can update the version number and re-release.
You kid, but Google makes substantial security and privacy SDK / API changes from one Android version to the next (reactively in response to abuse by 3p apps) & maintains backwards compatibility for a limited time period, post which incompatible apps are not visible to latest Androids on the Play Store. This means, developers have to continually update their "targetSdkVersion", if nothing else.
Every once in a while they'll bump the minimum SDK version or whatever other upload requirements, so if you do that you may have to tweak a few other things to stay compliant, at which point it seems like their system is working as they intended it.
We do not allow apps that only have limited functionality and content.
Here is an example of a common violation:
Apps that are static without app-specific functionalities, for example, text only or PDF file apps
Apps with very little content and that do not provide an engaging user experience, for example, single wallpaper apps
Apps that are designed to do nothing or have no function
Clearly Google has no problem with apps that are just a WebView wrapper over a website, so they could just create one of those. I think there are automated tools for that.
This effectively exists already in the form of paying third-party for a maintenance contract. Actually bumping the version number and repushing an app is the trivial part of being forced to do yearly (or w/e) updates - there’s a bunch of grunt work that can’t be automated in a trivial way - bumping your API targets, fixing anything that breaks from that, updating your build pipelines, fixing anything that breaks from updating your build pipelines, etc.
Ugh, on both mobile platforms, we have/had multiple popular games that their updates keep breaking, and they keep deprecating SDKs for. And each game is at on a different engine revision so we can't combone the work. We'd really like to keep these games up for for our mobile players, but we can't justify the cost, we make some money on these platforms, but nothing that justifies the immense cost.
Meanwhile, our console/steam/gog builds have seen an update or so at our discretion, and have just continued to run happily, and make more money.
Honestly it's hard to justify the maintenance effort to even consider porting out next games to mobile.
But really the people who are hurt are our players that already bought our game, but when the upgrade phones or OSes they no longer have an option to play unless they want to transfer their licenses to PC.
Are you sure you don't rely on any third-party libraries that have been updated for security reasons? Are you sure there's no Android API being deprecated that you're still using?
I sympathize with the general idea that software that hasn't been updated in a long time is more likely to contain bugs and incompatibilities with newest OS versions. Whenever I've opened ancient apps on my iPhone or my Mac, they generally break either partially or entirely.
In your case I understand it might genuinely not need updates. But across the Play store as a whole, it seems like a largely beneficial policy. If there really aren't any dependencies that can/should be updated, surely you can make a tiny change to a text string somewhere, and get the added benefit of making sure your whole build chain still works? I get that it's annoying, but it really is valuable to weed out the truly unmaintained apps.
No, Google is being aggressive likely due to liability.
I made an Android app that used React Native and it was the simplest thing ever. It had no auth, no telemetry, no persisted storage. Quite literally all it did was take text input and output it's braille equivalent and vice versa.
Had another one that made procedurally generated credits like you'd see at the end of a game. Same thing. No auth, no telemetry, etc.
I made a total of $3.97 for those apps. I did also receive a $350 settlement for some class action lawsuit Google lost about something they did to developers.
Closing my account removes me from potential future class action pools.
No, as someone that did Android development in the past, and still follows Android development due to its Java linage, and being a managed OS for the most part, that isn't the case.
Google has become very aggressive, you need to keep updating the apps, to specific SDK versions, even if there are zero changes to your own application in terms of what APIs got changed.
Imagine if we talked about other computers like we talked about phones. It's just so weird
- you can only install programs from our approved package manager
- if you make any transactions through your program, we'll take a 30% cut
- you can't be access those files, you're not root
- you got root?! We're going to fucking sue you (yeah, I know about the PS3...)
- you can't change these settings
- you can't access that hardware
Why did we think this was a good idea? Smartphones aren't "smart" without the apps! These companies depend on developers. The developers gave them the "food" that allowed them to grow so big. They only gain from developers! They would still gain even if every developer cost them money. How the fuck do we think they got to be trillion dollar entities in the first place?!
These companies have turned into scorpions[0]. It's myopic and they'll scream about how they're dying even though it's their own damn fault. These aren't just unavoidable things that are leading them to their deaths, but unreasonable. Foregoing larger future rewards (crossing the river) for short term ones (stinging).
It is insanity. Especially as we often try to justify it
Who is "we"? I think this had always been the wet dream of corporate types, not the users. In the PC space there are too many existing ecosystems to implement that kind of control (through Microsoft certainly tried with the whole "trusted computing" stuff) but as soon as there was an opportunity for a popular new "blue ocean" platform, they jumped.
You could see this most blatancy with ARM tablets. Microsoft released two versions of Windows, one for x86, one for ARM. The x86 one allowed installation of regular programs, the ARM version was restricted to Store apps. Made no sense from a technical perspective, the only reason is that they could.
But my point is that the strategy is illogical even when one is simply profit maximizing. You get short term gains but they prevent future games. It need not even be that far in the future. See the iterative prisoners dilemma for a simple example. Defecting will get you higher reward in one round but if there are any further iterations then your rewards are lower.
That's myopia. And I'm not satisfied with any "it's just it is" style arguments because we (inclusive) are ultimately the ones who decide how things are. It's a collective decision, a society. And that's why I press, because we can all do better. A rising tide lifts all ships, kings and peasants alike.
This only applies to iPhones, most Androids are rootable, and even un-rooted, it is trivial (I am mean really trivial, like 3 clicks) to install programs from outside of app store.
My opinion is anyone who owns iPhone knows what they sign up for, and does not care. So I don't get your rant.
- Do you own iPhone? Well, you've made your bed, now lie in it. There are hundreds, if not thousands, of phones on the market - if you chose one without 3rd party app store, it's on you.
- Do you own Android? You have nothing to complain about, push any apks you want anytime. Hey, get Samsung - it comes with 2nd app store preinstalled (from Samsung of course). Maybe even root the phone if you want to.
(Note the GP mentions "MDM", and that's why they could not use this route. MDM means corporate security, and they apparently made a rule to block 3rd party installs. This is sad, and I feel for them... but this is a corporate problem, regular users are not affected)
- Are you complaining on behalf of other people? They are all adults and made their own choice. If you want to make a difference, advocate against Apple. Or even better, advocate for regulations against Apple, to make their products worse so that more people move to Androids.
> This only applies to iPhones, most Androids are rootable, [...]
Except that this breaks SafetyNet, which makes a bunch of applications important for my daily life (e.g. my banking app) suddenly no longer work. Sure, clever people find workarounds for this issue, but they are not supposed to work. They are treated as vulnerabilities that are actively "fixed", so it's a cat-and-mouse game that can break with any update. This means I effectively have the choice between a device I control, and a device that's useful in my daily life, I can't have both.
This is obviously a much worse situation than on desktop computers.
These kind of barriers don't concern end users directly. They're just a huge pain point for developers, especially developers who don't make their software for commercial purposes only. The harder it is to develop, publish, and maintain an app, the less cool projects are being developed and the less innovation you get.
Nobody can quantify how much these practices stifle innovation because there are plenty of app developers and there is no comparison to how the app landscape would look if there were less barriers. Perhaps it's not a big deal but the fact is that nobody knows...
I don't have to wipe my computer to gain root nor distro hop.
> So I don't get your rant.
I think you will if you understand my list of examples are non-exhaustive. Similarly if you are willing to admit that needing to hack your device is not a counter-example, it supports my point. I can also "jailbreak" an iPhone. I can install linux on it too. A circumvention method not being known for a current or specific generation is not a counter.
My point has nothing to do with what you "can" do. It has everything to do with the need for such efforts in the first place.
On one hand much of this is valid, but on the other many of the conveniences that desktop devs are accustomed to are increasingly questionable and ill-suited for the modern era.
Perhaps the most problematic aspect is the way that PC apps have traditionally been granted access to any resource at any time without question, with the largest obstacle being the occasional need for an admin password or UAC prompt. It’s been a chronic point of abuse by third party developers, with some of the giants like Adobe being among the worst (using a third party uninstaller after installing Creative Cloud is like shining a backlight in a hotel room). Third party programs must be treated as somewhat adversarial in order to make sure that the user maintains control and knows exactly what the software they’re using is doing.
So yes, mobile operating systems have been abusive, but at the same time desktop operating systems have been negligent and expanding third party app carte blanche to mobile apps is not the way forward.
We do, game consoles, video players, blue ray players, before phones, PDAs were already like that.
Also during the 8 and 16 bit days, all home computers were vertical integrated, outside external expansion ports the only way to upgrade either the software or hardware was to buy a new computer. Sounds familiar?
An improved experience required a whole new package.
The only exception was the PC clones market, that only happened, because IBM failed to prevent it, and they did try to regain control with the MCA design that naturally failed after the pandora box got opened.
Ironically with desktops now being a niche market, we are getting back to those days.
> We do, game consoles, video players, blue ray players, before phones, PDAs were already like that.
For videogames I seem to remember a pretty big lawsuit... [0]. I seem to remember this being a thing and a few times.
While I agree with video players (including blue ray), and PDAs, these weren't ever general purpose machines. People could hack them to do more things, but that was much more in the true sense of the word "making it do what it was never designed to do". Nor were many game consoles, though they are now. There really weren't that many protections in them either tbh. Definitely not on the scale today. I don't like it, but I also don't think we should act like these things are perfectly equal.
But, so what? Does that change my point? I don't think my argument only applies to phones. The reason I used phones as the talking point was because the article we're in a thread talking about and a phone is a general purpose computer that now everyone has in their pockets. I do think we should be careful to not undermine ourselves. How can we get things to change if we're also just saying "that's the way it is"?
At least your bank, school, apartment, and airline aren't locking core services behind carrying a fucking PlayStation around with you.
Consoles feel different because they're one-purpose machines. Sure, it's irritating if they hardcore a maximum fps or what have you, but it feels less offensive for them to be locked down.
It's kind of like the difference of Disneyland having weird, restrictive, draconian rules versus just a public park. Which is also one of two brands of public parks in your city. That you also have to use to deposit checks.
I've had a Google developer console/play account for a decade+. Recently had to send some proof of identity stuff in their anti-spam thing -- which I did because who knows one day I might care about the account -- but I haven't released anything there in eight years. No threats of closing my account.
Did they instead just warn that they would unpublish the app? Google does have minimum API levels that they slowly move forward, and they will unpublish your app if you don't periodically rebuild and resubmit.
No, I got the same message. It was very clear that I had 60 days to publish a new app or an update or my entire developer account would be closed and I would have to apply and pay all over again.
Ah, interesting. I guess it's that I did have a popular app on there (which was then removed after I completed a technology sale) and my details are verified.
They will suspend the account if you don't complete identity verification, though supposedly you can reinstate it if you disclose your personally identifiable information.
I don't know if it's just optics. As a user, I personally don't want to see or download apps that are broken, neglected, or completely left for dead. Maintained apps are usually the best ones right?
One example doesn't prove that statement false. I said usually.
But also I'm not sure that's a great example anyway because I'm sure most people would want to find Microsoft apps on the app store regardless of what you think about their "usability" or maintenance. Usability is a different metric that's more arbitrary
Being in control of the OS, can Google in some cases force software authors to rewrite software and "release new versions" by changing/adding/removing APIs, etc.
Because they want developers to use the latest version of their API. And as a user it is a good thing, as the API is getting more restrictive and privacy focused
"Because they want developers to use the latest version of their API."
But the parent commenter's company software did not need to be updated to be useful to the company. Its only purpose was to control hardware made by the company.
As I said, it is useful for the users to have software that is complying with the latest version of the API, and it is good that Google is enforcing it
Automate pushing an update every week with no changes other than a bit flipping back and forth or something. If they want to set up stupid shit then they get to get stupid shit
It wouldn't even be hard to achieve security: (1) sandboxing, (2) permissions system, (3) database of bad app signatures, (4) heuristics based monitoring. Most of this is already in place. There's no excuse except money and power.
That’s a pretty broad statement, and sure, you can get an OS with neither, but broadly speaking modern operating systems that people use do have sandboxing and permissions.
Could you just get away with modifying something small, uploading the update, then revert the change, and reupload?
Either way, it's nonsense that they force this, especially for those who made an app however long ago and just uploaded and forgot about, or that version was the only one they intended to make. It's crazy how much Google gets away with bullying us.
Not OP, but depending on the industry, this could be enormous amounts of backend work. I have projects that needs to be validated, which effectively means a huge amount of human testing for any change. The Process is confirmed to work on version X.Y.Z and nothing else.
I imagine that if this sort of bullheaded google policy persists, companies will start adding “piñatas” into their code that have no real impact and can be changed with barely any validation required.
This lets google beat the version numbers out of it at will.
I'd target an about page or something similar, just have a sentence or two that get picked at random from a selection each build. Then have a monthly build job that runs and publishes.
Luckily there is no regulation in this industry, just demanding customers.
The main issue is that we support way too many different workflows based on customer requirements and actual hardware configuration, and even a slight change to a component often means we have to do manual UX testing.
A change is a change. I have certainly made a few “safe, meaningless, no possible way it could break something” edits which blew up in some unexpected way. Why take the risk for some inconsequential update? Someone has to sign off on why this commit needs to be fast tracked outside the normal process.
If that's the thing Google is trying to address, they can easily incentivize it - Java apps are usually quite easy to decompile and check. Search for library versions in use, force upgrades on security vulnerabilities.
But they're not doing that. So clearly their goal is something else.
> Java apps are usually quite easy to decompile and check. Search for library versions in use, force upgrades on security vulnerabilities.
You don't even need to do that – for a while already, Google's toolchain has been adding dependency metadata to all apps by default (encrypted, though, so only Google can read it) and they've indeed been using that to warn about outdated or vulnerable dependencies. According to https://support.google.com/googleplay/android-developer/answ..., at most they'll only block you from releasing further updates including dependencies with critical vulnerabilities, though…
Check for vulnerabilities in dependencies and do the same thing they described in this post, just with... meaningful feedback.
I'm more an infra guy, and such scans are actually absolutely awesome. I see everything in my k8s clusters, all java/python dependencies that need attention.
I'm more surprised how anyone can run an app for more than 2 weeks with no high severity vulnerabilities. I guess mobile doesn't have the same attack vectors, but still
Mobile has unbelievably smaller attack vectors due to the hefty sandboxing, as long as you're doing normal things and not including a bunch of janky ad libraries. You're largely just contacting APIs you control and not running arbitrary code, and there's no outside connections coming in at all - lots of extremely bad CVEs are completely irrelevant in that context.
Sure, you can bend your scope to make them relevant... but if you've got someone who can control your system in ways you didn't build by bypassing the OS protections, they already have control of the device and can do darn near anything. If you haven't protected from that, and it's frequently not possible, many other protections are meaningless.
Your backend though has to handle this kind of malicious-modified-client scenario, as well as random connections from code you don't control at all.
(This is not true for all apps of course, but for B2B stuff? Most small companies? Frequently valid)
If you're not an app that's intentionally risking your users' safety though, you probably have some reason to trust the ad vendor to do their part. It's calculated risk for most non-malicious apps, and the major vendors are broadly fine in that respect. Ignoring privacy anyway.
And we can ignore the shovelware, which probably is actually a majority of apps. Those won't care about security patches, and will probably go out of their way to hide them so they don't appear vulnerable and don't have to do maintenance releases. They wouldn't be affected by forced updates.
So as a conclusion, it seems we agree that those that are the ones creating most risk for users will not be impacted.
I am sticking to android ecosystem as best one I know, because I still have choices + I can use fdroid for a lot of my apps.
But when my mom uses a tablet or phone
... I have absolutely no smart advise to give her. All apps are hostile and annoying. The play game subscription is fine (apps/games cannot have apps and are fully unlocked) but other that that play store is a minefield.
Sure if you never accept any external input of any sort and handles no user data or input, you can assume things are fine.
But if that random game should, say, fetch user avatars from the web, then untrusted input to a way out of date image decoding library would be a nice path to a remote code execution vulnerability.
Or if the app registers any intent handlers that other apps and websites can trigger, or establishes TLS connections to any third party site, or...
That was definitely a logical way to interpret that comment. /s
The message is that the app developer in question's argument that they have nothing to update is most likely false, not that special industries is a driver for the policy.
The only purpose of our software is to control hardware that our company makes. Nobody uses it for fun, they use it because they have to. If I had a say, I'd automate even larger parts of the customer workflow.
(Yes, at first we released a mobile PWA but ran into limitations related to push notifications and MDM support. We then created the native app, but our customers cannot remotely load APKs not signed by Google).