Installing software outside of play store is technically possible, but if something contains enough hurdles, most people won't do it, which results in no users and a meaningless platform.
The main hurdle is that (without rooting) there doesn't seem to be a way for alternative app stores to silently update software.
That's bearable though unpleasant when you have one or two pieces of software that rarely get updated, that's absolutely impossible when you have 10+ pieces of software - you'll sit there for 5 minutes just approving install prompts every week, which isn't something a normal human is going to do.
It doesn't help that FDroid is pretty broken, and constantly pops up notifications about updates that don't work/aren't actionable (i.e. tapping the notification doesn't result in an install prompt followed by a successful installation, instead I get various errors etc.). Also, apparently the FDroid review process is even slower than the Play store review process.
> there doesn't seem to be a way for alternative app stores to silently update software
Yes — because that's something reserved for privileged system apps. You have to root your device to take advantage of that, or make a custom ROM with the alternative store in it. Having that ability as a permission you could grant to any app is an immense security risk. But then there are "device administrator" apps that can literally factory reset the device... I don't know. Maybe package installation should be part of that. Especially now that the legacy permission model was taken care of — if you install an app that doesn't support runtime permissions, you'll get a list of its permissions with toggles next to them when you run it for the first time.
> you'll sit there for 5 minutes just approving install prompts every week
Unpopular opinion: well-made software that serves its user doesn't need to be updated very often. Remember how you bought a program on a CD and used the exact same build for years?
If you root your device, doesn't that mean you will no longer be able receive Android OS software updates from the phone manufacturer?
> Unpopular opinion: well-made software that serves its user doesn't need to be updated very often. Remember how you bought a program on a CD and used the exact same build for years?
Sure, I'm even old enough to remember this but on cassettes and floppy disks! But - software now is much more complex than it used to be - most software has dependencies on other libraries/frameworks, and has to deal with communication and encryption (where it is all to easy to make subtle mistakes). IMO, for security reasons alone, it's no longer realistic to expect software without at least occasional updates.
> software now is much more complex than it used to be
I'd say software now is much more complex than it needs to be. It's made to ease the life of the developer, usually an inexperienced one, at the expense of the user.
> IMO, for security reasons alone, it's no longer realistic to expect software without at least occasional updates.
If people would stop rewriting things that already work fine, we'll run out of vulnerabilities at some point. Or, if you must rewrite them and have a good reason to do so, at least use a memory-safe language. Even C++ is much better than C and raw pointers. Anything is better than C and raw pointers. Yet all major OS kernels and most userspace components are written in C and use raw pointers and vulnerabilities in those are being found all too often.
> If you root your device, doesn't that mean you will no longer be able receive Android OS software updates from the phone manufacturer?
It often means that. :( But it is not that bad for some devices. Geeks from Lineage community regurarly update closed vendor code in the LineageOS. So if you are lucky and Lineage is well-supported on your device, you can still have root nowadays with up-to-date vendor blobs.
For example I rooted my Xperia XZ2 Compact and I am quite happy with it. By using Magisk and Magisk Hide, I am still able to use Google Pay. At the same time, I can use Titanium Backup and f-droid root extension to let f-droid install updates automatically. I hope this device will last me for a long time as I don't see many alternatives - most other phones are too big for me, too old/slow or unsupported.
The non-root way to silently update is to install a DPC (device policy controller). Has existed for the past 10 years to support enterprise MDM. Only catch is that to install the DPC you have to factory reset your phone to place it into the special state where no accounts have "ever" been signed in to, which is what allows a DPC to be installed. (Removing all accounts from the device may also work)
The nice thing is that once the DPC is installed you can `adb install -r` (reinstall, ie update) it without needing to factory reset. Just don't uninstall it accidentally :D
Sadly no. I actually went full-on "wait a minute...!" a few weeks ago when I discovered this, but practically speaking, nobody's going to do it ("what, factory reset my phone?! hahaha NO"), and so implementing the necessary support would ultimately be a giant burden.
Technically 100% possible, but practically never going to happen.
If someone were willing to write and maintain the necessary plumbing and then poked F-Droid, it would be interesting to see if they cooperated, but they may well be reluctant to.
The main hurdle is that (without rooting) there doesn't seem to be a way for alternative app stores to silently update software.
Does this actually matter? On the desktop it's normal for apps to update themselves. Is there some fundamental reason an Android app cannot do this too?
Yes. The application's executable is not writeable to the app. You need to go through the package installer. This requires a system controlled prompt for the user to confirm an installation, and requires a seperate permission to even ask which is not allowed for third party apps published to the play store (https://developer.android.com/reference/android/Manifest.per...).
Er, not quite. The permission required to trigger the app install prompt for an APK is REQUEST_INSTALL_PACKAGES, which is available to third-party apps.
These are still four more steps then what it takes to directly install from the Play Store. Most people would view any of these four steps as hurdle.
> And you won't need to go to the settings the next time, it'll just work.
You will still have to find the apk when there is an update, download it and confirm install. There are still three steps to update the apk compared to Play Store's one tap (or even zero clicks if automatic updates are on). Only "Allow installing from this source" step is removed when updating the app.
It's possible to build self-update functionality into an app, just like many apps do on desktop. An app can open that installation prompt to update itself.
Not on the latest versions of Android, unless you're only updating interpreted code like Python. You can no longer execute files that weren't packaged with the original APK.
You can download an apk and launch the package installer activity to install it. In latest versions of Android, you'll need to serve the apk through a ContentProvider. I tested this myself, it works, even if the app is updating itself.
But I think you can actually still load arbitrary dex files using a ClassLoader? I thought that the update was only affecting JNI libraries. I remember reading how they wanted for any and all executable code to come from a signed package. Even then, if you're determined enough, you can load arbitrary native code by allocating some rwx memory pages and copying it in there ;)
Yeah I misinterpreted your original comment. I was thinking in terms of the app being in control of itself ie JNI type stuff.
Sounds like there are ways to do it within the Android ecosystem, but in cases where Google is suspending things wouldn't they just turn off all the self-update stuff?
Google doesn't have the technical ability to "turn off all the self-update stuff", if you mean preventing non-store apps from updating themselves by downloading and installing apks. The worst thing they can try doing is bullying the users into uninstalling the app through Google Play Protect.
I'm not deep enough in the Android ecosystem to understand all the details. I've only had the misfortune of trying to get a (very portably-written) golang application to run in the environment, and hitting roadblock after roadblock.
I guess my overall point is that Google is motivated to have complete control over Android app distribution, and they'll plug as many of the types of holes you're talking about as they can get away with.
Dropbox's selling point is its simplicity. Apple's as well, for that matter. It's perfectly fine to have simplicity as your selling point.
Many people, myself included, love products that "just work" out of the box. That's what everything should be like, ideally. My gripe with modern technology is that it actively inhibits your ability to go in and tinker. DRM, forced app stores, code signing with enforced signing identity, all that kind of stuff.
See, imagine someone releases an amazing messaging app that's lightyears ahead of everything else on the market. But — it's only available through F-Droid or as an apk download on the developer's website. People will flock there and install it. And they will be unstoppable.
A concrete example of this phenomenon: Pokemon Go wasn't officially released in Russia, so you couldn't download it from the app stores. Yet, everyone played it. And I mean everyone, in 2016, especially during summer, you couldn't take a walk in the downtown St Petersburg without hearing the Pokemon Go sounds from people's phones. Android users sideloaded apks, iOS users created separate Apple IDs to bypass the geoblock. Suddenly everyone educated themselves to get the thing they wanted.
99% of consumers will stop at step 2. 80% won't have the technical skills to make it past step 1.
But even if 99% of people could figure it out, it'd still be an unnecessary hurdle whose only purpose is to provide Google with an unfair competitive advantage.
Until all of that bs goes away, side-loading and secondary app stores will be nothing more than a hobby for enthusiasts.
Google shouldn't be doing what they're doing, no question. BUT, this reaction to the idea of people downloading apps is over the top. The world is full of people who made lots of money on the back of people downloading and installing their apps, even with far worse UXs than what Android provides.
Minecraft.
Steam.
Heck, every video game ever.
Skype.
Microsoft Office. Made billions when people had to physically go to a store and get it.
Google Earth. Chrome itself.
IntelliJ, any developer tool.
Zoom. WebEx. Most video conf tools, actually.
Any pro tool whatsoever.
You get the picture. No, ticking a box and tapping is not the end of the world and never has been. The UX for app installation on macOS and Windows is totally atrocious in both cases and people figure it out.
If you live in the Valley bubble world where every single app that exists is VC funded and desperately racing to get to a 100M daily actives first, then it might seem like one extra click is literally the end of the world. But FFS the vast majority of all businesses and products require more effort to get than that, and they work just fine.
thats a huge hurdle for normal people, it means you can't make a business out of selling things that way unless you have an established product like fortnite
It is not meaningless, but agreed not something for mass use yet. Similarly like 30-40 years ago with personal computing, now also geeks start the paradigm shift into privacy-aware computing.
I guess at some point Google will close the F-Droid loophole in Android and only allow installations through the Playstore anymore. You know, for security reasons... winkwink
Maybe the real reason will be pressure from the government to hurt the ones like Huawei a little more, maybe it will be the need to squeeze more money, or maybe the need for censorship because those evil alternative app-platforms allow whatever unwanted stuff.
> I guess at some point Google will close the F-Droid loophole in Android and only allow installations through the Playstore anymore.
Google standing in Europe is already really shaky. They keep taking fines after fines for abuse of their dominant position. That won't last forever. If they close the ability for other stores to exist, the best case scenario is the EU giving them a huge fine and forcing them to go back. Worst case is being force to split Android out of the main company. Google knows that which is why they will not do it.
Google is already split in EU, there are subsidiaries in various countries. Although parent company is in US. EU has no power to split US company, but can apply fines to localy registers subsidiaries when laws are breached.
The other aspect is that Google is now jeopardizing many people who now enable "other sources", making them more susceptible to malware. (Not saying you shouldn't enable "other sources", but many people don't understand what they are doing).
