Ask HN: How to combat Android malware without mandatory developer verification?
In August 2025, Google announced that starting in late 2026, they are going to lock down Android to require that all app developers register centrally with Google or else their apps will be blocked from being installed on Android certified devices, regardless of how the app is distributed (competing app stores, direct download, etc). This measure is allegedly to combat malware and slow the ability of repeat offenders to simply re-build and re-sign apps that have been blocked by Google Play Protect.
There is a lot of opposition to this effort (e.g., keepandroidopen.org, which I organize) along with widespread distrust of the claimed motives for the program. And yet there is indeed a problem with the proliferation of malware in some regions (Southeast Asia being most frequently cited in reporting).
Recent advances like "Restricted Settings" in Android 14 and "Enhanced Confirmation Mode" in Android 15 have enacted technical barriers that address many of the most common scam/phishing/malware tactics. What additional technical measures could be implemented that would help protect vulnerable Android users against being victimized? Is a program of increasing awareness about personal security a viable solution? Or is the only solution to lock down the Android platform to require developer registration and verification before an app can be distributed?
No comments yet.