Hans-Christoph Steiner @eighthave@librem.one

@j2bryson @1br0wn @spikebike Ah yes, the #Huawei aspect would explain it. I wonder how many 0-click Pegasus/etc infections they would have prevented by not mandating a single vendor for mobile devices. Back in 2018, #iOS was looking better than #Android in terms of security.

@debacle @rene_mobile @mobian This makes me think of how I used to be excited about working with #Android, now the only exciting thing about it is its market share. As a #hacker, I find #PinePhone a lot more exciting these days, despite all its limitations.

@rene_mobile Aspects of the technical structure of #Android magnify this because developers cross-compile and run in emulators/devices. Basically no one is doing Android dev on Android. #macOS and #iOS at least were very close to the same OS. I switched to #Debian #GNOME and #Android at the same time, around 2009. Back then, #Android was hackable and flexible. We took full advantage of that. Now my feeling is that #Android is focused on #security for #BigTech and no longer empowering users 2/2

@rene_mobile #Google is a #cloud company, and its users expect to have everything tied into the cloud. Fine if you want that. Before, #Android offered much more developer freedom and flexibility. Now, it feels like it is being locked into the cloud and pushed to prioritize consuming over creating. Same thing with #macOS, I used #NeXTSTEP since 1994, and stuck with it unbroken as it became MacOSX and even #iOS. #iTunes and iOS pushed #Apple to shift their focus from creating to consuming. 1/

@rene_mobile I haven't touched SAF code in a while now, so I can't remember details. I do clearly remember feeling that this API made it drastically harder to do what I was doing before. And in order to give any kind of consistent UX across the supported #Android versions, I had to have 3 parallel implementations with a number of per-version quirks. Plus it is biased towards pushing to the cloud. For many use cases, local storage still has advantages, including #privacy and resilience.

@j2bryson @spikebike @1br0wn if so, that's a laughable policy. One of the most basic rules of defense is "don't put all your eggs in one basket". Ahem #Pegasus 0-click https://www.amnesty.org/en/latest/news/2021/07/pegasus-project-apple-iphones-compromised-by-nso-spyware/

@rene_mobile And also, I think the right solution is to keep the bad apps out, that's what we work to do in #FDroid. Then users have the freedom to use apps that require flexible access to the external storage to provide their features. The SAF changes felt to me to be a way to cut out apps that do media/app sharing device-to-device, instead of via cloud services. Device-to-device data exchange is very important in places where data plans are expensive and measured in the 100s of MB per month

@rene_mobile I understand why they were created, and I think the core idea is good. But the way it has been rolled out has been painful to a lot of developers, especially if the app isn't just doing a simple tie-in to a cloud service. My experience is that every other OS release introduced new and often conflicting APIs and requirements making it very difficult to make a UX that worked across the currently supported releases.

@spikebike @j2bryson @1br0wn That could play an role in the pricing, but I'm guessing it is a pretty small role. These exploits are generally sold priced per-target. The governments using them care about getting access to the target, not all the users of a platform.

That totally clicked for me, that's how I have been feeling about working with the Storage Access Framework APIs in Android. On top of that, Android APIs prefer cloud services. Guess what: #Google #cloud services are built-in defaults for those APIs on all the Google devices.

And that concludes my reporting on the #DMAWorkshop, thanks to the Filecoin Foundation for the Decentralized Web #FFDW and their grant to @guardianproject for paying my way. https://www.ffdweb.org/guardian-project-annoucement/ - https://f-droid.org/en/2022/02/05/decentralizing-distribution.html

Congrats to #matrix co-founder @matthew for rocking the last #DMAWorkshop, there was still quite a bit of buzz about how the live bridging demo carried a ton of weight, despite the lobbying efforts from #Meta, you can see it at around 14:00 in the live stream recording https://webcast.ec.europa.eu/dma-workshop-2023-02-27

@j2bryson @1br0wn given that #Android exploits are currently selling for more than #iOS exploits, I'd say that's one key piece of evidence pointing to Android as the more secure option https://www.zerodium.com/images/zerodium_prices_mobiles.png

Very exciting to hear the #EuropeanCommision say it is clear that the #gatekeepers are not the only ones who are providing secure and trustworthy app stores. I think that comment alone has made my trip worthwhile #DMAWorkshop