A theoretical way to circumvent Android developer verification

2025-10-3120:20196178enaix.github.io

A private blog

Show article

As you all know, Google has introduced developer verification as a way to prevent users from installing “unregistered” APKs. This measure was taken as a security feature to link every APK in existence to its developer, as in Play Store.

Link to the Android documentation, link to FAQ

Why this is bad

This has already been discussed by ArsTechnica and on some threads (some cherry-picked ones): reddit, ycombinator, hackaday.

A quick recap of the main points (as of 30 Oct 2025):

The base tier costs $25, as in Play Market. Requires an ID
There will be a limited “hobbyist” unpaid license. Google claims that they won’t require an ID
Legal info is told to be private, unlike with Play Market
The verification code is supposed to be located in Play Services, but Google hasn’t published the source code yet
Google assures that it would be possible to install applications locally using ADB, but there are no details on this
Hobbyist license restrictions are unknown

A few months prior Google has decided to make Android development private, which seems to be a preparation for the upcoming changes (another article). Due to this change in AOSP release format, it is no longer possible to track what exactly Google is doing.

My answer to this question is that it would simply prevent small developers from distributing their apps, including myself. If we take the legal route, a hobbyist license is supposed to have some limit on the number of installs by design. If we take, say, 10K installs, this is not enough in my case. Another question is how exactly the process of verification is going to happen, what if Google adopts the same rules as in Play Store? Taking my fork of the old VN engine port, this apk would not pass security checks, as the old codebase relies on legacy external storage permissions, which are banned in Play Store. If we take the adb route, there are no guarantees that this method is going to work in the future in the form you expect. For instance, Google mentions that this method is meant for on-device tests during development, and nothing prevents them from reporting the install to their servers and checking if a self-signed apk has been installed on other devices. Another way to put it, this is problematic for an average Android user to perform these steps, and this is going to be the developer’s problem.

The situation links pretty well with Samsung removing bootloader unlocking with the One UI 8 update. Great, duh…

The concept

My vision of the hack is to distribute a verified loader apk, which in turn dynamically loads any apk the user wants. A user obtains the loader apk once and loads apps without installing as much as they want.

The Java virtual machine in Android is the ART/Dalvik runtime (I will refer to it as Dalvik, it seems that Google hates cool names). Did you know that Dalvik natively allows dynamic code execution using PathClassLoader? So an apk may just load some zip/apk/dex code from external storage and execute it in current context. Essentially, this means that we can natively load the apk into memory and execute any code inside of the target apk, and we are not altering the original code signature of the loader.

In order to actually run the apk, the loader needs to properly initialize the main activity (aka the main screen, or the entrypoint) of the target apk. So, the main activity needs to be initialized and somehow placed inside of the Android’s activity cycle with the loader acting as a wrapper. Then, the loader apk should handle other aspects like local files handling and names conflict resolution. This can be achieved by patching the target apk bytecode: .odex/.dex classes may be dynamically decompiled into .smali, analyzed and compiled back into a modified apk. Furthermore, the loader would have to parse AndroidManifest options of the target (main activity location, screen options).

Implementation

Developing such wrapper in a straightforward way has proven to be rather difficult, as Android activity management logic is extremely complicated and differs from version to version. In short, it was problematic to perform the initialization process the right way. Some people suggested to avoid the initialization step completely, and use Unsafe Dalvik api to register the target’s activity as the loader apk activity stub, which is declared in the loader’s manifest without class. I couldn’t find exact methods in the Unsafe documentation, but this actually may be a way to go.

Due to this particular issue I couldn’t bring the proof of concept to a working state in a reasonable time, and because of this I was considering to not publish this article at all. The purpose of this post is not to give a somewhat ready solution, but get some feedback on the concept, as I was not ready to devote lots of time on a potentially broken solution.

The logistics

Information provided in this section is for educational use only, all scenarios discussed below are hypothetical.

In order to install the loader apk on the device, it would require, well, some form of verification. Hobbyist license is the only choice here, as paying $25 for each attempt is not optimal. Since the hobbyist license has a limited number of installs, there should be multiple instances of the apk with separate licences. In this hypothetical scenario there may either be a pool of volunteers who sign the code, or completely random users who are willing to help. In the second case, the loader code would somehow need to be verified or scanned, since such distribution system would be vulnerable to malware.

The final and the most important issue in this process is the verification process itself, as the loader code may (and likely will) be flagged by Google. So, the code would require some form of obfuscation like code flow modification and implementing double functionality (for instance, registering it as a file manager). If Google decides to ban dynamic code loading altogether, the final solution would be to pack the Dalvik runtime into the loader as a native library. This of course would have extremely low performance, but it should be technically possible.

Overall, the hypothetical plan has lots of assumptions, with which I’m not happy with. First of all, it requires lots of manual work by the volunteers or random people, and this work also includes the apk obfuscation, which was not discussed in detail. Then, the verification process itself should be somewhat permissive to allow potentially suspicious apps (I would like to hear how does this happen with current Play Store verification).

Conclusion

The project described in this article by no means is a finished solution, and if you have started to think what else could work, it means that the article has reached its original goal. I believe that we would eventually come up with a proper solution in the future. Thank you for reading!

You may find the source code here. Feel free to create an issue if you wish to discuss

Read the original article

Comments

By asimops 2025-10-3121:308 reply

While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.

Do not accept the premise of assholes.

I hope we can get the EU to fund a truly open Android Fork. Maybe under some organisation similar to NL Labs.

--- edit ---

Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.

By AnthonyMouse 2025-11-017:051 reply

> Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.

This is actually the advantage of doing it. You make the thing (call it a "personal app loader" or something rather than a "circumvention tool"), they ban it, now you campaign against them or make antitrust arguments presenting the ban as an anti-competitive practice or use the ban to refute claims that they're not inhibiting third party app distribution.

Even if you know they're going to be the villains, you still want to make them actually do it so that everyone can see them doing it.

By chii 2025-11-0210:21

They (google) could cite the loader being "exploited" to run "dangerous" apps like viruses/malware, and bypass the monopoly issue.

I do think having a technical bypass is good - it isn't mutually exclusive with also having a legal bypass. I just hope that the gov'ts are smart enough, and agile enough, to make this happen before it becomes too late (aka, once the gates close, it will never open again, like apple's ecosystem).

By closeparen 2025-11-011:285 reply

The same EU that's doing Chat Control?

By rf15 2025-11-012:031 reply

The same EU of which parts are trying to make chat control work and are once again abandoning it. Politician get this particular fancy idea every other year in all kinds of countries, not just EU. Overreach out of desperation for a problem that cannot simply be solved is wrong but understandable.

By igor_akhmetov 2025-11-0110:171 reply

Desperation for what exactly? More control?

By ForHackernews 2025-11-0112:452 reply

They are trying to stop crime, including sex/drug trafficking and child exploitation. If you want to have an intellectually honest debate, you need to be clear that private communication apps do make it more difficult for police to conduct legitimate investigations. You do yourself no favours painting all politicians as power-hungry caricatures.

By ipaddr 2025-11-0113:30

So do private in person conversations. Going the route of North Korea putting two way speakers in each house would help make those conversations available to the government. Think of all of the child exploitation you could stop by removing any sense of privacy. Of course they would figure a way around this and everyday citizens would have to deal with the lack of privacy but at least they thought of the children so we should keep voting them in.

By 0xDEAFBEAD 2025-11-0116:041 reply

If chat control is a good-faith effort to stop crime, why can't Android developer verification be a good-faith effort to stop cybercrime?

If politicians are not all power-hungry caricatures, is it possible that the same is true for businesses?

Android has millions of users worldwide, many of whom are far less computer-literate than HN users. I think it's very reasonable for Google to put speed bumps in front of malware developers trying to distribute through the Play Store. If you're a half-decent dev, $25 is nothing compared to the opportunity cost of your time in developing your app.

This whole thing seems to be a fairly recent announcement on Google's part, so it's unsurprising they're still hammering out details for hobbyist devs? How about making constructive suggestions for ways that Google can protect ordinary people without stopping power users?

By ForHackernews 2025-11-0117:251 reply

I think the issue is not about distribution in the Play Store (I don't actually have any problem with that: their playground, their rules) but the fact that they are going to break sideloading and alternative app sources like F-Droid.

I struggle to see any good-faith need to erect additional barriers to protect users from running the programs they want on devices they own, when you already have to be fairly expert to enable developer mode, install via adb, etc.

By 0xDEAFBEAD 2025-11-022:13

That's fair.

By supermatt 2025-11-0113:223 reply

It appears that you are an American who has conveniently forgotten about FISA, EARN IT, CLOUD act, PATRIOT act, LAED, etc, etc, and wants to take a dig at the EU for what, exactly? NOT passing Chat Control? Seriously..

By 0xDEAFBEAD 2025-11-0116:08

It's interesting how so many online discussions of internet privacy devolve into nationalist chest-beating. I'm beginning to suspect that people don't inherently value privacy all that much -- they just want to brag about how their country is the most private.

Recall that the premise of this thread is that the EU should sponsor an alternative to Android. The EU vs US question isn't really topical, since no one suggested that the US government should sponsor an alternative to Android instead.

By closeparen 2025-11-0116:201 reply

I do not think it is righteous or enlightened when the American government flexes control over the tech sector. I can see how Europeans might have thought this about the EU when it was just GDPR, but subsequent developments have recast all of this as being about government control and keeping the tech industry “in its place” rather than a commitment to privacy and freedom in and of themselves. I think that ought to temper the righteousness.

By supermatt 2025-11-028:07

What subsequent developments? It sounds like you are alluding to the DMA.

The DMA is an attempt to reclassify what “market” means in the modern age where we have a global tech oligopoly. This is because a simple “test” for monopolism doesn’t work in this world of multinational megacorps.

Again, your complaint is a double standard. You are doing similar in the USA - albeit without an actual structured act - as per the recent rulings on the Google Play store.

The EU has simply codified the rules for their vision of the future where people aren’t beholden to a handful of tech overlords, whereas the USA is making similar incremental “changes” through case-law. I’m not saying either way is correct, but it seems like they are both headed in the same direction.

By exe34 2025-11-017:161 reply

The EU is a big place, run by a lot of different people, with true separation of powers. They don't have a president-king who can just ignore court decisions.

By jmnicolas 2025-11-019:224 reply

So we're gonna get access to Von Der Layen Pfizer sms right?

Were you offered to vote for Von Der Layen by the way?

By Certhas 2025-11-0110:112 reply

The EU is a parliamentary democracy. Von Der Leyen was proposed by the democratically elected heads of the member states. She was approved by the democratically elected parliament.

The chancellor in Germany is also not directly elected by majority vote but by parliament.

Its a reasonable criticism that the EU structures make democratic legitimisation very indirect, but that is at least partly a result of the EU being a club of sovereign democracies. The central tension was extremely evident during the Greek debt crisis, you have a change in government in Greece, but due to EU level constraints they can't enact a change in policy. More independent power ininstitutions less dependent on the member state, means the sovereign democratic national governments can't act on their local democratic mandates.

By immibis 2025-11-0111:04

FWIW EU members are sovereign. If they disobey EU laws they can have benefits withheld but they won't be militarily invaded for ignoring EU law the way a US state would (unless they do something military themselves like invading another country).

By wqaatwt 2025-11-0112:262 reply

> The EU is a parliamentary democracy

Except the are a couple degrees of separation between the democracy part and in the running the EU institutions.

The EU parliament is also a very superficial imitation of a real parliament in a democratic state. It has very limited say in forming the “government” or decision making.

> result of the EU being a club of sovereign democracies

So either revert to it just being a trade union or implement fully democratic federal institutions. The in between isn’t really working that well.

By Certhas 2025-11-0118:31

It isn't working well by what standard?

By saubeidl 2025-11-0112:431 reply

> Except the are a couple degrees of separation between the democracy part and in the running the EU institutions.

That's what parliamentary democracy means, yes.

By wqaatwt 2025-11-0112:502 reply

No, of course not...

In parliamentary democracies the parliament is elected directly and is generally sovereign (optionally constrained by a constitution or some set of basic laws and powers delegated to regional governments and such).

In no way does that describe the EU. It has no equivalent body. Its imitation “parliament” is extremely weak and barely has a say in who forms the closest EU has to a “government”.

By saubeidl 2025-11-0113:361 reply

But the parliament isn't the government in a parliamentary democracy.

By wqaatwt 2025-11-0115:072 reply

Yes, and? It forms the government and can dismiss it.

By exe34 2025-11-0116:55

They can also vote on bills, while we're bringing up irrelevant gotchas.

By Certhas 2025-11-0118:24

So this is typical of criticism of the EU democratic structure: It's just factually wrong. The EU Parliament can dismiss the commission. From Wikipedia:

"The Parliament also has the power to censure the Commission by a two-thirds majority which will force the resignation of the entire Commission from office. As with approval, this power has never been explicitly used, but when faced with such a vote, the Santer Commission then resigned of their own accord."

The fact that the whole democratic setup is highly complex is in itself a problem. But the concrete deficits people mention are never true or don't apply to other democracies either...

In practice the EU Parliament has been a lot more trouble for the executive than is typical in national bodies. The one valid point is that the parliament does not have the right to initiate legislation itself. That is unusual, but in practice many people who are actually close to political processes seem to say this is mostly symbolic, as national bodies can't really draft effective legislation without cooperation from the executive either... Stil definitely something I would love to see addressed.

By Certhas 2025-11-0118:26

The parliament approves and dismisses the commission.

In the last cycles the candidate who led the party who won the parliamentary elections became head of commission.

So this is just wrong. The EU parliament has more power than US Congress or the UK parliament in this respect.

By StopDisinfo910 2025-11-019:571 reply

For all the disdain I have for her, Von Der Layen is the candidate put forward by the PPE, the majoritarian party in the EU parliament. So, yes, people were indeed allowed to vote.

By wqaatwt 2025-11-0112:321 reply

She was primarily nominated by the EU council.

The parliament would have picked Weber, but nobody cared since its just there to rubber stamp predetermined decisions.

He was the leader of the party which won the plurality in the elections and had its support. EU had a real chance to move towards becoming a real parliamentary democracy if it went that way.

By StopDisinfo910 2025-11-0116:41

That was the election before the current one. She was the one out forward by the PPE this time and even then she was the second candidate put forward by the PPE after Weber was vetoed by France the previous time.

That’s the new Spitzenkandidate system. The council is supposed to pick the candidate put forward by the main political force in the parliament.

The EU is a real democracy anyway. All the members of the council are themselves democratically elected. It has a weird three parts political system but everyone in it is elected or appointed by people elected.

By exe34 2025-11-0111:12

I'm not in the EU! I can explain when somebody is wrong without having a horse in the race myself.

By victorbjorklund 2025-11-0112:03

technically people didn’t vote for Trump they voted for electors which voted for him.

By deaux 2025-11-015:42

The same EU that's doing NL Labs, the org mentioned in the comment you're replying to.

By saubeidl 2025-11-0111:43

The same EU that shut down another attempt at Chat Control.

Bad legislation gets written everywhere, the difference is, in the EU it doesn't pass.

By Lindby 2025-11-0114:351 reply

It would be hard to find manufacturers to use it. None of the existing Android phone manufacturers would be able to release phones with this fork without also abandoning the official Android platform on all markets. Google are very strict with this in their tos. You cannot release devices using non official Android builds without losing your right to use GMS and Android Brandice on your other Android devices.

By solarkraft 2025-11-0210:13

This can also easily be framed as anticompetitive.

By StopDisinfo910 2025-11-019:551 reply

I hope the EU actually enforces the DMA and forces Google and Apple to stop their non sense.

By jezek2 2025-11-0122:38

Unfortunatelly DMA is the reason Google is doing this. It allowed Apple to require notarization for "security". Google is just copying the same approach as it's now clear what the requirements by the governments are.

Before it was unclear so it was better to allow installation of apps without any verification to appear as more open.

Remember any regulation/law has unintended consequences. At one point Apple decided that PWAs would no longer be supported in EU so they don't have to provide equal capabilities to implement them in alternative web browsers, fortunatelly they changed their mind by obtaining an exception. PWAs is the only alternative choice for making "proper" apps on iOS (no hacky sideloading methods).

I think overally DMA is more a loss than a win (good on paper, terrible in practice). It codified worse things. The EU app stores are still fully controlled by Apple (harder to install, they can just decline or drag notarization of any apps or revoke your license to dev tools, you need to still pay them, etc.).

For various apps the EU market is too small (esp. for things that need to be global) to invest into the development so while you can for example theoretically develop a real alternative web browser to Safari/WebKit (forbidden by App Store rules) nobody is willing to do it.

By singpolyma3 2025-11-010:353 reply

What's wrong with lineage?

By hilbert42 2025-11-011:52

You have to get some of the big names to unlock the bootloader first. The trend towards locking it off permanently is alarming.

Edit: Google could ultimately use that as a lever in licensing deals with manufacturers. It'd marginalize everything.

By IlikeKitties 2025-11-016:341 reply

It's not a good, secure project by a longshot. There's a good comparison floating around:

https://images.squarespace-cdn.com/content/v1/60f1421e1afcf4...

By AnthonyMouse 2025-11-017:112 reply

That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

By Itoldmyselfso 2025-11-0116:261 reply

Or, far more playsibly, they added to the table features GrapheneOS has, but others don't.

Here's the up-to-date comparison: https://eylenburg.github.io/android_comparison.htm

As far as I know, there is no significant features other distros have that increase their privacy or security over what GOS has. I'm not entirely sure about the SafetyNet thing, but GOS is by far the most up-to-date to the AOSP out of these distros.

By AnthonyMouse 2025-11-0118:081 reply

The point isn't that GrapheneOS is bad but rather that it doesn't imply there is anything wrong with LineageOS when it's still better than Android itself.

Moreover, some of the stuff with green boxes is still kind of a privacy fail. For example, with GNSS (i.e. GPS) your device calculates its location from the timing of radio broadcasts emitted by a network of satellites. It has extremely good privacy properties because your device is a passive radio receiver and neither the satellites nor anyone else know you're there when you use it. "Network-based location" can sometimes work when you're somewhere you can't hear the satellites, but now you have Google or someone else building a database of nearby wireless APs etc. in order to make it work, and in the process you're effectively uploading your location to them.

By Itoldmyselfso 2025-11-0119:281 reply

GOS developers have said on multiple occasions that they think LineageOS is worse for security than the stock OS on multiple devices, as it doesn't keep up with current privacy/security patches or provide all of the standard protections. The comparison also does bring up these faults. See also https://www.kuketz-blog.de/lineageos-weder-sicher-noch-daten...

By AnthonyMouse 2025-11-029:55

"Device does not force you to update" isn't a bug. The bug is "device forces you not to update" which is the thing you get with stock Android on the large majority of Android devices.

Their objections in general seem to be fairly pedantic, e.g. objecting to a connectivity check which could be improved in a theoretical sense but in practice that shouldn't be leaking anything you're not already giving up by having a phone which is turned on and connected to a cellular network.

By IlikeKitties 2025-11-017:421 reply

>That looks like someone made a list of mostly features specific to GrapheneOS so they could make a chart where all of the other alternatives (including stock Android) are full of red boxes.

No one else even bothered to make a list.

>Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.

Citation needed

By AnthonyMouse 2025-11-018:34

> No one else even bothered to make a list.

That doesn't make the biased list good.

> Citation needed

Are you not aware of what SafetyNet is? It's the thing where Google certifies that the phone is running the software produced for it by the OEM. The problem, of course, being that the OEM stops issuing updates and then the certified version has known vulnerabilities. Which is a lot of the point of wanting to install a newer ROM on such a device, except that then it won't pass SafetyNet because you replaced the vulnerable but certified code with third party code that has the patch but not the certification.

By numpad0 2025-11-0113:04

Active installs of LineageOS[1] as reported on official tracker is 4.3m instances right now. An MAU of 5m is like, less than Bluesky, Switch 2 shipped so far, most F2P phones games you've heard of, etc. The leverages it has is that of a game.

1: https://stats.lineageos.org/

By immibis 2025-11-0111:03

Technical things can affect people. Adversarial interoperability. They're using a technical thing to cause a social thing anyway, and fighting back with the same tactics is at least not surrendering.

By ekianjo 2025-11-017:331 reply

> hope we can get the EU to fund a truly open Android Fork

The same EU that keeps pushing for breaking encryption and chatcontrol? No thank you

By TeMPOraL 2025-11-018:19

> breaking encryption and chatcontrol

The two are not equivalent issues; the first one is ill-formed as stated.

Cryptography is a tool of control. It's "dual-use", in the same sense like a knife or nuclear fission is - its moral valence depends on who is wielding it, and to what end.

In the context we're discussing, encryption is being used against the people. Working encryption is in fact needed to make chat control work - it's fundamental to it, the same way it is to Developer Verification and Safetynet/Remote Attestation. It would be great if EU decided to break that set of encryption applications. Alas, chat control only wants to break E2EE on messages, and uses encryption elsewhere to guarantee E2EE stays broken.

A more general comment about this thread, and related ones in the past: people really need to stop thinking about "encryption" and "security" as inherently good. They're not. Most of the social problems with computing, the attempts at user disempowerment and disenfranchisement, persist because they apply cybersecurity solutions.

The core question of security is always: who exactly is being secured, and from who.

By thaumasiotes 2025-10-3122:256 reply

> I hope we can get the EU to fund a truly open Android Fork.

How are things in the EU on whether it's legal to buy a SIM card without showing ID?

By asimops 2025-10-3123:182 reply

A secure OS is a prerequisite for secure digital services. We can agree on that, right?

The task, therefore, is to convince enough politicians to establish an independent unit that can address this issue without direct political influence.

Fund the unit with enough money so that it can take care of the cybersecurity and sovereignty of all citizens.

A side effect of this would hopefully be that these politicians would then be digitally literate enough to recognize nonsense such as chat control as such and reject it outright. I hope that most politicians would not really want such omnipotent surveillance tools if they could truly grasp their scope.

By IlikeKitties 2025-11-016:33

I must sadly inform everyone here that the EU is pozzed beyond recovery in regards to Google. The reference implementation for the euid project is only available for android and ios and uses the play integrity api which makes usage of it on non google-certified devices impossible. https://github.com/eu-digital-identity-wallet/eudi-app-andro...

By TeMPOraL 2025-11-019:112 reply

> A secure OS is a prerequisite for secure digital services. We can agree on that, right?

Secure for who, and from whom?

Remote Attestation and Developer Verification both make Android OS and platform more secure against malicious actors that would want to defeat the guarantees the platform gives, guarantees that enable secure digital services.

Yes, this includes protecting the banking services and DRM media services and advertising platforms from malicious actors like you and me, who pose a real threat to the revenues of the aforementioned players, by:

- Expecting banking to do security right on their own side, instead of outsourcing it to mobile platform and society at large (like with "identity theft" trick);

- Enjoying entertainment and education in ways the vendor or IP owner does not like or can't be arsed to support, and thus not spending extra on the inferior ways that are supported;

- Not looking at the ads.

Same is with Chat Control. Chat Control improves security of the society against threats such as sexual predators who want to hurt children, or citizens who disapprove of how the current ruling class is governing the people. To effectively provide that security, Chat Control in turn relies on a secure OS and platform providing secure digital services - in particular, secure against those malicious actors that would want to circumvent Chat Control protections.

Is the larger picture clear now? Security technologies are not inherently good, they're morally ambivalent. They're "dual-use". It's important to consider their deployment on a case-by-case basis, always asking who is being secured, and what are the actual threats they're being secured from.

By immibis 2025-11-0111:061 reply

> Chat Control improves security of the society against threats such as sexual predators who want to hurt children,

no it doesn't. Chat Control is single-use.

By TeMPOraL 2025-11-0117:12

It does, to some extent. These projects wouldn't have the support they had if they didn't have a plausible way to deliver some improvement along the metrics they market. It's the outsized harmful impact that's usually just left unspoken.

Also, I'm not saying Chat Control is dual-use, I'm saying crypto is. Chat Control actually needs working crypto to be properly implemented.

By exe34 2025-11-019:24

did you understand and disagree with the third paragraph? if so, could you say in what way it didn't completely answer the question you just asked?

By remix2000 2025-10-3122:411 reply

It is neither illegal nor hard to obtain such a prepaid SIM card.

By kube-system 2025-10-3122:523 reply

That very much depends on the country, many require ID.

By Kwpolska 2025-10-3122:574 reply

The ID presented at time of purchase does not have to be the ID of the actual user of the card. Your local drunkard will be happy to get $10 to buy a SIM card for you. Or you could visit eBay (or local equivalent) and get a valid SIM card without leaving your house.

By logifail 2025-11-014:221 reply

> The ID presented at time of purchase does not have to be the ID of the actual user of the card

In some EU member states this might be fine, but definitely not all.

> Your local drunkard will be happy to get $10 to buy a SIM card for you.

Buying a SIM card was always the easy bit. Getting it activated may not be, it depends on which country you're in.

https://www.telekom.de/prepaid-aktivierung/en/start

"For the Selfie-Ident you identify yourself with your identity card, passport or residence permit. (Selfie-Ident is currently possible worldwide with the German ID card, residence permit and passport. Alternatively, you can use Video-Ident and identify yourself in a video call with an employee.)

Important: Temporary identification documents are not supported due to internal check. You need a tablet or smartphone with a camera and an internet connection."

By econ 2025-11-015:501 reply

Surely others may use your phone?

By logifail 2025-11-0120:042 reply

If you're happy to purchase a SIM card, register it in your name, and hand it to someone else for them to use, go right ahead.

Q: Who's paying the bills for that SIM?

By econ 2025-11-0123:331 reply

I was referring to this part

> > The ID presented at time of purchase does not have to be the ID of the actual user of the card

>In some EU member states this might be fine, but definitely not all

It seems hard if not impossible to prevent or stop?

By logifail 2025-11-0320:19

> It seems hard if not impossible to prevent or stop?

Thought experiement: you can buy and register a car, and then lend it to someone else to use.

That's certainly "hard if not impossible to prevent or stop" and might seem fine ... right until the point when it isn't fine any more.

At which point the police will come to knock on your door (first).

By Kwpolska 2025-11-0320:23

> Q: Who's paying the bills for that SIM?

You can anonymously buy top-up vouchers in supermarkets for pay-as-you-go SIMs.

By kube-system 2025-10-3122:59

The suggestion above wasn’t a statement of practicality but rather of EU motivations. Maybe you can also find a drunkard to fork Android for you.

By noosphr 2025-10-3123:04

>While it is technically feasible, it is not a good idea to try and find a technical solution to a people/organisation problem.

By codedokode 2025-11-018:00

In my country, giving a SIM card to another person who does something illegal, is a crime. No doubt EU might soon have the same law - they are pretty good at copying.

As a result, sites where I could rent a number for verification, now don't offer local numbers anymore.

By asimops 2025-10-3123:00

Germany requires ID for all SIMs (for "normal" people). You can buy activated SIMs in every bigger city if you know what to look for though.

By remix2000 2025-10-3123:101 reply

You can use any country's SIM card in any other country, regardless of its registration status.

By kube-system 2025-10-3123:293 reply

… if you have roaming coverage.

And even in that case, doing this for a long period of time violates most roaming policies

By qilo 2025-11-011:28

Even with fair usage policy violations (like long term roaming) the prices are still quite reasonable: 1.30 EUR/GiB (+VAT); from next year 1.10 EUR/GiB (+VAT).

https://en.wikipedia.org/wiki/European_Union_roaming_regulat...

By gambiting 2025-11-010:351 reply

The only thing that happens is your data becomes a lot more expensive, the card still continues to work as normal. I've not lived in Poland for over 15 years now, and I still have a polish SIM card that I use almost daily - the only thing that I've lost due to roaming long term is cheap data packs, I can still call and text as normal from my monthly allowance.

By kube-system 2025-11-012:20

Maybe in the countries that you are familiar with that is the case.

In some places your plan will be cancelled for roaming beyond a certain number of days or quantity of usage. Telecom laws and polices vary widely.

By pohuing 2025-10-3123:522 reply

There's eu(maybe even EEA?) wide free roaming legally mandated since I think 2017 or so? But it's not a permanent solution, your second paragraph still holds true.

By kube-system 2025-11-012:192 reply

I know of some UK SIMs that do not roam.

By scarlehoff 2025-11-014:21

As far as I know it is only EU. Both UK and Switzerland have some operators that roam and some that do not. fwiw, fastweb in Italy provides roaming in both and has a very generous fair usage policy.

By Digit-Al 2025-11-019:16

That's because we are no longer in the EU. Before Brexit they were legally mandated to allow free roaming in the EU. Now they are back to charging whatever outrageous prices they wish.

By WhyNotHugo 2025-11-011:11

> How are things in the EU on whether it's legal to buy a SIM card without showing ID?

It varies per country. In some you can just buy one (or more) SIM cards at a supermarket without any ID.

By jraph 2025-10-3122:322 reply

I'm confused, how are those two things related?

By semolino 2025-10-3122:401 reply

The commenter you replied to was implying that the EU does not respect the privacy/freedom of mobile device users.

By jraph 2025-11-017:10

Okay, thanks.

I was confused bexause anonymity against the state is hardly the only, or even a main point of android forks.

Privacy usually is, but against big tech typically.

By peterhadlaw 2025-10-3122:371 reply

Nanny state

By vik0 2025-10-3122:561 reply

More like surveillance state

By ulfw 2025-10-3123:38

Which states aren't? And for the love of god do not write US now

By sigio 2025-11-010:03

In many EU countries you can walk into many a supermarket or phone-store and just buy a simcard with cash without questions asked.

By supermatt 2025-11-0114:35

There is no such requirement in the EU - it is entirely up to the individual country.

By ianbutler 2025-11-011:066 reply

I think this means we need to rely on web technologies more. PWAs are looking pretty good on mobile devices these days and you can publish any web app you want with no reviewing authority. The web has a bunch of crazy APIs now that let you build crazy things and for everything else you're a hosted server away somewhere that can run more complex jobs.

I believe devices I own should let me do whatever I want with them and I agree that the verification is BS, but I'll work around it in the ways I can which means building more for the web.

If that ever drops the open pretense (since both traffic and trust authority are largely centralized and thus easily controllable) then I'll only write for self hosted linux boxes.

We as individuals can only do so much. We'd need actual organization and some measure of political power to do anything more since normal people do not care about this.

By rs186 2025-11-012:381 reply

Bad news for you, Google happens to have a tight grip on the entire web ecosystem -- browser, search, ads etc.

By ianbutler 2025-11-018:38

I obviously understand this and mentioned as much indirectly in the post. You can only do so much and the web is still more open than Android is about to be so again, you do what you can.

By Wowfunhappy 2025-11-011:104 reply

I thought Brent Simmons did a great job laying out why PWAs don't work: https://inessential.com/2025/10/04/why-netnewswire-is-not-we...

The tl;dr is that a PWA implies an app which is based in the cloud. So suddenly you need a server, and you need to store user data, which means costs and dealing with privacy and security.

By teraflop 2025-11-011:301 reply

That explanation doesn't really make sense to me.

If something could be built as a native app without depending on a central server, it could also be built as a PWA without a central server. You don't need to store user data centrally at all, just because it's a webapp. You can just have the clients use localStorage or IndexedDB or whatever.

You still have to host the static files for the webapp itself, but that can be made very cheap.

Of course, API feature parity between native and web apps is a separate issue. But the argument about server costs doesn't seem like a good one.

By Wowfunhappy 2025-11-011:473 reply

Isn't localStorage limited to 5 MB of data?

By teraflop 2025-11-013:14

Sure, but localStorage isn't really ideal for storing large objects anyway, because it forces everything to be stored in one big string-to-string map. It's great for small amounts of data such as user preferences.

There are other APIs that allow you to store binary data directly (which you'll probably want if you're storing large files) and also to use/request larger quotas.

By koiueo 2025-11-013:31

IndexedDB API is a bit more liberal in that regard

By porridgeraisin 2025-11-013:16

Yeah, better is the filesystem API

By twixstar 2025-11-014:25

I read the article, and I'm pretty certain he's talking about a traditional web application. When we speak of PWAs we're thinking of a set of APIs that let a web app behave like a native application. i.e 'installation' + service workers, background sync, IndexDB/FileSystem etc. You could probably make a self-sufficient RSS reader with what's available.

By Jaxan 2025-11-0111:041 reply

Basically every native app has a server behind it to harvest user data nowadays. So I don’t think it’s an argument for why PWAs won’t work.

By Wowfunhappy 2025-11-0111:51

If the app is made by a company, sure.

It seems to me that, ironically, PWAs are uniquely ill-suited for the type of non-corporate software where distribution outside mainstream channels makes the most sense.

By charcircuit 2025-11-015:541 reply

Practically you are going to have a server distribute a native application anyways.

By poisonborz 2025-11-0113:09

Not the developer. This is all additional complexity and less privacy for the user.

By nine_k 2025-11-012:071 reply

You need native apps to access specific hardware, and to run some native code. WASM may help but it's limited, too.

By Jaxan 2025-11-0111:02

How many apps rely on specific hardware or native code though? I can only think of my banking apps when using nfc.

By morshu9001 2025-11-0117:131 reply

PWAs are at the mercy of Gapple have always been handicapped in just the right places to not be viable vs installed apps. Most people don't even know how to install one.

By ianbutler 2025-11-0118:291 reply

Yeah but as I understand it Apple has become a lot more progressive on PWAs in the last few years. I’m under the impression theyre viable

By morshu9001 2025-11-034:21

The recent change is you can do push notifications with them now, but still

By Saris 2025-11-0817:05

All the PWAs I've tried never really work properly, they don't integrate well with the OS for sharing and such, and often don't work well offline.

By srcreigh 2025-11-0119:25

This is harmful speculation. Many PWA features are broken in small ways which add up. The caniuse database does not test that a PWA feature meets the spec and there is no better database. Nobody can say that PWAs are "looking good" without such testing.

By andrewcchen 2025-10-3122:331 reply

So like LiveContainer[1] which works around ios's signing requirements

[1] https://github.com/LiveContainer/LiveContainer

By IgorPartola 2025-11-011:061 reply

Whoa that is neat! How does that not get shut down by Apple?

By Wowfunhappy 2025-11-011:201 reply

They don't allow it in the app store, so you have a chicken-and-egg problem...

By zzrrt 2025-11-0120:281 reply

It works with AltStore or SideStore.

By Wowfunhappy 2025-11-0122:37

So you have to either live in the EU or have a helper app constantly running on a PC on your network…