The game studio I worked for hated side loading. It's often used by fake sites (including crypto mining and identity theft sites) to offer "free" apps which are really just APKs from legitimate publishers.
The user is left with an app that won't be updated or get bug fixes and may not even work at all because of ongoing changes in the game server and its APIs.
Our game was entirely free to play and there was no way to get any additional stuff by using a side loaded APK from someone else.
To make matters worse, users put themselves at risk when they enter their personal information like passwords and payment info into these illegitimate APKs as it can be captured by modified versions of the apps, which is why folks distribute them.
If you have any more info on this, would love to hear more.
I spent a couple days trying to deconstruct what the apk sites bidding on adwords for our brand (ecommerce free app) were doing. Proxied traffic and didn’t see anything fishy. Chalked it up to ad arbitrage in the end. Didn’t seem like getting people to download the apk was the primary goal.
(email in my profile if you want to share privately)
> To make matters worse, users put themselves at risk when they enter their personal information like passwords and payment info into these illegitimate APKs as it can be captured by modified versions of the apps, which is why folks distribute them.
But if people are modifying your APK anyway, wouldn't they just remove this check too?
I'm referring to bad actors adding things to the APK or altering it, though there is more evidence of the issue raised in the post below yours: folks who attempt to gather info from users in order to offer the software (outside the app stores) and from those pages collect other user info and introduce malware.
I'm curious why you don't think being able to pick how your apps are distributed might not be a legitimate use case. If you are selling your apps, it's obviously your choice whether or not you want to crack down on people distributing in ways other than the one that makes you money.
The other side of the coin is for apps that are already listed in the Play Store, does side loading have any legitimate use cases other than piracy and IP theft?
Developers should have the right to decide how they make their software available to users.
I am currently locked out of online banking becuase my Bank uses a security lib of questionable value. One of the "security" mechanisms is a block list of other apps installed on your phone.
In the past it was magisk in there, since I can't root my current phone I don't have magisk either. My only way to use online banking is copying the app into my work profile profile, or using an older version which I have to sideload from apkmirror.
> The other side of the coin is for apps that are already listed in the Play Store, does side loading have any legitimate use cases other than piracy and IP theft?
Yes - bypassing incorrect assumptions.
For example, a US company I worked for at a non-US office (imagine it was e.g. Google Japan) gave most employees a corporate credit card. Citibank made it impossible to download their app through the Play Store from the country in question, even though it was required to use it. Only option was to sideload it.
This kind of thing has happened on other occasions as well.
Many rights holders would have different views of what's moral here.
I kind of feel like I repeatedly observe a bit of cognitive dissonance among some users on HN (not suggesting josephcsible is). There's often a lot of discussion about 'freedom' but what most often mean is 'my freedom'. This is about balancing the freedom of content producers/rights holders to choose the methods of distribution of their content, and the freedom of content consumers to choose how they'd like to receive their content. Not sure where the line lies but talk of 'morals' seems like trying to simplify a non-trivial problem.
IMO the line is my device having non-removable hardware modules that are specifically designed to protect the device from me, its legitimate owner. I'm fine with software-only DRM, it'll always get broken by someone eventually anyway. But all the ARM TrustZone bullshit and secure boot with unchangeable signing keys? This has no right to exist in this universe.
And I don't give much of a crap about copyright owners. Copyright in its current form mostly doesn't work for its intended purpose anyway, it only works for corporate rent seeking.
You and I can agree on all that, but it won't make anyone care. When the dust settles, the ARM TrustZone bullshit and bootloader locking is justifiable, even if only with inferior rationale. The state of consumer protections in America are not even remotely advanced enough to push back on this behavior, and businesses are ever grateful.
Zooming out, fighting against DRM APIs is not even a hill worth dying on. Stopping it would mean attacking a healthy and legal market that has multiple worse alternatives they can roll out. A more realistic goal is separating App Stores and App runtimes, to prevent anyone from conflating the two and playing keep-away with basic functionality of devices that people own.
But the restriction exists and is known before you buy the device. The market offers alternatives. When buyers choose an iPhone or Samsung phone ahead of a Fairphone they are choosing among different trade-offs. For myself I’ve chosen an iPhone because I value the hardware quality over the freedom offered by the Fairphone. But I have a choice.
The freedom I don’t have is to demand the market supply a “Goldilocks” device that meets all my requirements. The fact that Fairphone exists tells me that there’s no structural impediment to the market providing such a device. Their market share reflects the number of people for whom the kind of freedom you want is valued above other requirements.
Does this have any legitimate use cases, or is it just anticompetitive behavior and DRM? And has anyone found a way to bypass it yet?
The game studio I worked for hated side loading. It's often used by fake sites (including crypto mining and identity theft sites) to offer "free" apps which are really just APKs from legitimate publishers.
The user is left with an app that won't be updated or get bug fixes and may not even work at all because of ongoing changes in the game server and its APIs.
Our game was entirely free to play and there was no way to get any additional stuff by using a side loaded APK from someone else.
To make matters worse, users put themselves at risk when they enter their personal information like passwords and payment info into these illegitimate APKs as it can be captured by modified versions of the apps, which is why folks distribute them.
If you have any more info on this, would love to hear more.
I spent a couple days trying to deconstruct what the apk sites bidding on adwords for our brand (ecommerce free app) were doing. Proxied traffic and didn’t see anything fishy. Chalked it up to ad arbitrage in the end. Didn’t seem like getting people to download the apk was the primary goal.
(email in my profile if you want to share privately)
> To make matters worse, users put themselves at risk when they enter their personal information like passwords and payment info into these illegitimate APKs as it can be captured by modified versions of the apps, which is why folks distribute them.
But if people are modifying your APK anyway, wouldn't they just remove this check too?
I'm referring to bad actors adding things to the APK or altering it, though there is more evidence of the issue raised in the post below yours: folks who attempt to gather info from users in order to offer the software (outside the app stores) and from those pages collect other user info and introduce malware.
I'm curious why you don't think being able to pick how your apps are distributed might not be a legitimate use case. If you are selling your apps, it's obviously your choice whether or not you want to crack down on people distributing in ways other than the one that makes you money.
> just anticompetitive
It sounds like just this, only all wrapped up in a "let us protect you" wrapper.
My guess is it's to stop things like ReVanced patches which can remove ads in various apps like YouTube
The other side of the coin is for apps that are already listed in the Play Store, does side loading have any legitimate use cases other than piracy and IP theft?
Developers should have the right to decide how they make their software available to users.
I am currently locked out of online banking becuase my Bank uses a security lib of questionable value. One of the "security" mechanisms is a block list of other apps installed on your phone.
In the past it was magisk in there, since I can't root my current phone I don't have magisk either. My only way to use online banking is copying the app into my work profile profile, or using an older version which I have to sideload from apkmirror.
> The other side of the coin is for apps that are already listed in the Play Store, does side loading have any legitimate use cases other than piracy and IP theft?
Yes - bypassing incorrect assumptions.
For example, a US company I worked for at a non-US office (imagine it was e.g. Google Japan) gave most employees a corporate credit card. Citibank made it impossible to download their app through the Play Store from the country in question, even though it was required to use it. Only option was to sideload it.
This kind of thing has happened on other occasions as well.
DRM is legally considered a legitimate use case.
I mean morally legitimate.
Many rights holders would have different views of what's moral here.
I kind of feel like I repeatedly observe a bit of cognitive dissonance among some users on HN (not suggesting josephcsible is). There's often a lot of discussion about 'freedom' but what most often mean is 'my freedom'. This is about balancing the freedom of content producers/rights holders to choose the methods of distribution of their content, and the freedom of content consumers to choose how they'd like to receive their content. Not sure where the line lies but talk of 'morals' seems like trying to simplify a non-trivial problem.
IMO the line is my device having non-removable hardware modules that are specifically designed to protect the device from me, its legitimate owner. I'm fine with software-only DRM, it'll always get broken by someone eventually anyway. But all the ARM TrustZone bullshit and secure boot with unchangeable signing keys? This has no right to exist in this universe.
And I don't give much of a crap about copyright owners. Copyright in its current form mostly doesn't work for its intended purpose anyway, it only works for corporate rent seeking.
You and I can agree on all that, but it won't make anyone care. When the dust settles, the ARM TrustZone bullshit and bootloader locking is justifiable, even if only with inferior rationale. The state of consumer protections in America are not even remotely advanced enough to push back on this behavior, and businesses are ever grateful.
Zooming out, fighting against DRM APIs is not even a hill worth dying on. Stopping it would mean attacking a healthy and legal market that has multiple worse alternatives they can roll out. A more realistic goal is separating App Stores and App runtimes, to prevent anyone from conflating the two and playing keep-away with basic functionality of devices that people own.
IMO, the line is clear: if you own a physical device, it's immoral for anyone else to restrict your ability to do anything whatsoever on that device.
But the restriction exists and is known before you buy the device. The market offers alternatives. When buyers choose an iPhone or Samsung phone ahead of a Fairphone they are choosing among different trade-offs. For myself I’ve chosen an iPhone because I value the hardware quality over the freedom offered by the Fairphone. But I have a choice.
The freedom I don’t have is to demand the market supply a “Goldilocks” device that meets all my requirements. The fact that Fairphone exists tells me that there’s no structural impediment to the market providing such a device. Their market share reflects the number of people for whom the kind of freedom you want is valued above other requirements.
As much as I like being able to sideload apps, I have no problem with the app publishers deciding which platforms their apps are distributed through.