It's a tricky balance-act to secure their ecosystem.
The more measures they take to secure it while allowing the user to decide whether to participate, the more drastic this opt-out user-decision becomes.
In order to now preserve that "open ecosystem", they would have to provide the user an option to disable Google Services entirely, which would turns the device almost into a separate product
All this is unlikely to happen just for the sake of "pleasing the community", I believe we need a general legally binding definition of what functions the user owns if (and when) a device is stripped of any services on top.
If my car loses functions once it loses connection to the manufacturer, this bare set should be communicated as the purchased value ("in exchange for your money"), separately from any on-top "in exchange for your data" business-model
The problem is phones became too important. They get trusted more than desktops for things like banking and ID verification.
Feeling like the optimum solution is to just have two devices. Your phone that has all of your banking, ID, etc. and another device that’s completely open, can install whatever you want on, but doesn’t matter too much if it gets hacked.
If this is a reasonable direction, it could still be achieved on the same device. There would be sufficient security architecture available to completely isolate those two areas.
But I feel the issue is less about malware gathering your banking, ID etc, but malware holding your data hostage, using your (social) network for nefarious purposes or tricking you into something you don't want to do.
And for all those cases, having that "other" device doesn't help.
> If this is a reasonable direction, it could still be achieved on the same device. There would be sufficient security architecture available to completely isolate those two areas.
The problem here is: Who controls the means of input and output - the screen and keyboard? The trusted identity thingy sometimes needs to show the user some details, have them key in a pin number, things like that. So they know whether they're approving a $2 in-app purchase, or a 10-bitcoin transfer.
If the free and open part of the system controls the screen and keyboard, the details could be shown wrong and the pin number could be keylogged and replayed later.
If the secure-and-locked-down part of the system controls the screen and keyboard, the free and open part of the system is basically reduced to an app or website.
And if the secure-and-locked-down part of the system has its own separate screen and keyboard - it's hardly the same device.
No, but I find the supported options to customize Android sufficient for my needs so that wouldn't happen to me personally.
My point is only that there's already a system that lets you run whatever apps you want, and to heavily customize the OS, and also make your bank happy by running a secure OS. It's just out of the box Android. You can replace all the built in apps, including the base "desktop" GUI, keyboard and browser. So this discussion revolves around an edge case: someone who wants to customize security-critical OS primitives like the kernel or compositor, AND who isn't doing this as part of a project big enough to partner with Google, AND who wants their bank to accept their changes as secure enough, AND who doesn't want to provide such institutions with some non-Google managed evidence of that, AND who doesn't want to tolerate using two devices.
There's very few use cases for that. The only one anyone can seem to muster in this thread is to prepare for a hypothetical future in which Google prevents ad blocking at the OS level, which hasn't happened in more than 15 years of Google being an ad company. So today there is a vanishingly small number of people for whom Android's existing mechanisms are insufficient, and for those people, there is dual boot - again, because the Android team planned for this and built a secure boot system that allows alternative OS installs on a phone.
The more measures they take to secure it while allowing the user to decide whether to participate, the more drastic this opt-out user-decision becomes.
In order to now preserve that "open ecosystem", they would have to provide the user an option to disable Google Services entirely, which would turns the device almost into a separate product
All this is unlikely to happen just for the sake of "pleasing the community", I believe we need a general legally binding definition of what functions the user owns if (and when) a device is stripped of any services on top.
If my car loses functions once it loses connection to the manufacturer, this bare set should be communicated as the purchased value ("in exchange for your money"), separately from any on-top "in exchange for your data" business-model