A rewritten version of an article where I got a little emotional
This article probably got split into three, as I tried to talk about three things at once, and readability suffered.
The Fax
If you either scroll down sometimes or have a non-negligible memory, you may remember that I wrote about the Play Integrity changes a few…months(?)…ago?
If you have ever argued with an iOS user, you probably know that Android — mostly GMS'd Android — globally runs about 70% of the market, and I'd presume it's in part popular due to its openness, which Google seems to be plugging, for good — or really, for bad — if there's no backlash.
Google is restricting sideloading a lot, dare I call this iOS-level. In case you prefer reading at the source, it's also written down on Android Developers, which may be less or more neutral about the subject, but probably more one-sided.
The Considerations
While being able to know exactly who's distributing malware sounds cool, we need to remember that not everything sideloaded is malware. For example:
AdAway, which isn't on Google Play because Google wants ad revenue
F-Droid, which can't be on Google Play because it's an app store…and because it's kind of silly to download an app store that doesn't track you over a platform that tracks you
With this new policy, Google would know exactly who makes what applications, and can choose to censor any of these from most of Android, like they did to YouTube Vanced.
The Speculation
Even if Google says something along the lines of ‘You need to calm down everyone, turns out we're not doing that, promise’ the precedent of we do what we want to your phone is still there.
Apple has this tight of a grip on the ecosystem, or used to, and look what they did to my boy Firefox! They forced him to WebKit. A KHTML-based Mozilla product, blasphemous!
And it's not just internal pressure that could make Google do things. An oppressive government could force Google to do anything, and since Google is in it for the money, I don't see them above bending to the will of dictators. Or maybe they are. They used to have a motto of ‘Don't be Evil.’
The Brainwashing
Even if you may not use non-store apps, some people do. Maybe Google eventually pulls some private messengers in response to the recent EU Chat Control discussion. Maybe you use that messenger to stay connected with friends and family. Maybe you want to sideload it. Maybe Google banned it. Do you now wish to rely on Feta(formerly Makebook)?
Even if Google says they won't release the data, they will still have it. It's about data and control. It seems harmless today, but it's a slippery slope. Do you want to let Google track more than they need to, to sell you more with ads?
Don't you just hate it when you read a newspost and accidentally spill your drink? Don't you just hate it even more when the table isn't set and you have to clean it immediately? In my case, the laptop was in splash range. Lesson learned — The hard way.
On the flip side, I am writing this post. The only broken hardware are the touchpad click buttons. I'll either get used to their absence or try to fix them.
So, who here uses rooted Android? Oh, right, literally just me, Cloudflare says I have basically no legit visitors. If you are a legit visitor, you're definitely not the one-hundredth one — but since you're already connected to the internet — might as well drop me some mail.
Back to what I was actually writing about, Play Integrity: For the unfamiliar, Google wants to make sure apps can know if a device is in an out-of-box state or actually usable. Tampered with, as Google likes to call it. The former option is the 255th layer of hell in most cases. The latter is what I'm using.
Google decided to bump the requirements for Android 13 and newer, as the integrity level for older, unmodified devices was easily attained with Magisk / APatch / KernelSU modules like Play Integrity Fix — PIF for short.
The new ones are pretty hard to get. I can't even get the basic attestation anymore, which is rather annoying. Unrooting would be an option, but Magisk is just so useful…
Have I mentioned Google uses proprietary byte code running in a quite secure environment for this? Huge props to people like chiteroman and osm0sis for dealing with this stuff. They may not make all of the world go round, but they sure do make mine.
I hope somebody finds a way to get just basic or device attestation again at some point. Until then, I'm using a keybox that will get revoked as soon as I look the wrong way — because some apps — especially the ones that don't need it — really want integrity, whether I like it or not.
PS: First blog post where I asked an LLM to proofread. Hope you don't mind. If you do, your problem.
Unfortunately can't do a proper blogpost today, my main machine is really busy copying a partition to a bigger drive — Problem is that it's copying my rootfs, which means booting from a thumbdrive, so I can't use my shellscript to add timestamps and wrap my post in <article> tags. QoL thing, and I won't write a full-blown post without it now.
A Quick and Dirty List of Shell-Scriptable Tools You'll Rarely Ever Need
Grepping and cutting within minified JSON APIs is…not fun, to say the least. What if you had a way to parse it properly?jq lets you do just that — and everything else you could possibly want to do to arbitrary structured data — by either vibe coding with your LLM of choice, querying a search engine you still haven't decided on, or by reading the man page, like a nerd.
XMLStarlet - Doing absolutely everything you can imagine to well-formed XML
Similarly to jq, xmlstarlet also deals with structured data — Because apparently we can't agree on a one-size-fits all standard.
Aside from escaping and unescaping streamed data, it can also edit, beautify (format, as it calls it), extract data from, list the filesystem as, canonicalize — an euphemism for 'fix your weird misuses of insignificant whitespace' — validate and do magic on pretty much arbitrary XML, as long as it's valid…enough.
zopflipng - For when you have too much time and a high-fidelity scan
Don't you just hate when you have to downscale the document you scanned at 1200dpi — for no reason at all — to something sane because it's over five megabytes? Then zopflipng can't help you, unless you actually have way, way too much time on your hands. If you don't, it's still useful for shaving off a few bits from lower-resolution icons. (Of course, you can still waste time by spamming -m enough times.)
ImageMagick/Graphicsmagick - when GIMP is too heavy
Two related tools for image conversion and procedural(?) editing. gm is slightly less powerful but should be nicer on licensing, while magick is the upstream and has some controversy around it. Use what you prefer, or use neither.
I primarily use it for when I need to operate on a ton of images — mogrify is your friend, although nowadays it should be invoked as (magick|gm) mogrify — I'm sure they're not deprecating the legacy invocation any time soon, too much breakage.
Sometime ago I started doing Search Engine Optimization — and before anybody flames me for it, I won't add analytics beyond what cloudflare ships, those are helpful for preventing bot spam. — which also meant making my <head> much bigger by including a lot of metadata. Another fun thing was adding a humans- and a robots.txt file. Spent the last thirty-or-something minutes writing a sitemap generator in bash, with a little help from ChatGPT for finding the right tools for the job. Is XMLStarlet overkill? …Probably. Does it work? Until you try to change something. Am I running it way too often? Arguably. But hey, the only dependency on Starlet is a single function that can be replaced quite easily. Feel free to look at the output yourself under sitemap.xml
As for why everything I do involves way too many shellscripts, I only know python, bash, that weird scripting language Plymouth uses and traces of C, but I've almost perfected the second one to the extent of an art form, so I'll just use it until I have to do things properly.
Today is a tragic day. One of my permanently borrowed Unifying Receivers died — I now have one left that went bathing. I think it's been jammed too hard into my laptop when putting it in its case. That usb port is fine, so at least the damage kept itself to a receiver…
…for a deprecated protocol replaced by Logi Bolt. This is where Logitech went downhill, killing off support for older mice on newer receivers. I know that supporting old protocols is annoying, but Unifying devices are still pretty popular
Having a working page is cool. Having cloudflare error out isn't. Listening on the right port with the right protocol is important. So are certs.
I was going to put a blogpost here, but a problem with the web is that you need content if you want to make pages. And a lorem ipsum is not the answer. So I guess this will have to do for today.
Building for the web is annoying, but at least I have something like a portfolio now.
