Security Now 1046: Google's Developer Registration Decree

Date: October 8, 2025
Hosts: Steve Gibson and Leo Laporte

Episode Overview

This episode delves into major recent developments in technology and security, with a primary focus on Google's new requirement that all Android developers register formally (with ID and a fee) to distribute apps. Steve and Leo critically examine Google’s move, its impact on the open-source F-Droid project and alternative app stores, and the broader risks of increasing centralization and gatekeeping in app ecosystems. The episode also covers news including browser benchmarks, ransomware updates, developments in the EU’s “chat control” legislation, data breaches, and the ongoing tension between security, privacy, and user freedom.

Key Discussion Points & Insights

1. Google’s Developer Registration Decree

[125:35] - [144:50]

• What’s New:
  Google will now require all Android developers worldwide to:

  • Register with Google, supply government-issued ID, and pay a registration fee.
  • Enumerate all unique app identifiers for every app distributed.
  • This policy impacts not only those distributing through Google Play, but also developers using third-party platforms like F-Droid.

• F-Droid’s Perspective:
  Steve reads at length from Mark's heartfelt post on f-droid.org, outlining the existential threat this poses to alternative, privacy-respecting app repositories.

  “If it were to be put into effect, the developer registration Decree will end the F-Droid Project and other free open source app distribution sources as we know them today...” — Mark, F-Droid ([125:35])

• Steve’s Analysis:

  • Empathy for Both Sides: Google faces rampant malware and fraud in the Play Store; registration increases accountability and raises the bar for dedication and identification.
  • Downside: This fundamentally changes the open model of Android—possibly ending anonymous, non-commercial development, and centralizing power in “two US companies headquartered 10 miles away from each other.”
  • Possible Outcome: Some workarounds (e.g., F-Droid taking over app IDs and signing on behalf of developers) might soften the impact, but could also pose workload and philosophical challenges.
  • Regulator Response: The European Commission’s Digital Markets Act is cited as both enabling alternative stores and allowing “strict necessary and proportionate measures” on security—language which Steve (and F-Droid) warn can be twisted to justify near-total lockdowns.

• Notable Quote:

  “We do not believe that developer Registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem.” — F-Droid open letter ([131:22])

• Community Comments:
  A listener’s email is read showing regulatory authorities’ generic and noncommittal response, while Mark from F-Droid calls out gatekeeper abuses.

• Steve’s Conclusion:
  While sympathetic to the need for accountability, Steve sees the shift as “inevitable” and tied to the wider clampdown on digital freedom, both from tech giants and from government regulation using crime and child safety as justification.

2. Browser Benchmarks & Brave’s Claims

[24:40] - [31:22]

• Brave’s Milestone: 100 million monthly active users.
• Speed Claims: Brave advertises “up to three times faster” performance than competitors.
  • Steve calls foul, noting all Chromium-based browsers (like Chrome, Edge, Vivaldi, Opera, and Brave) share the same rendering engine — any speed gains come from blocking ads and scripts, not magic “pixie dust.”
  • In real-world benchmarks, Brave can be up to 21% faster (when ad/tracker blocking is a factor), but 3x claims are “utterly bogus.”
• Leo’s Note: Prefers alternatives to Brave due to its crypto associations; highlights “Helium,” a deGoogled Chromium fork.

Memorable exchange:

“Brave should be ashamed…for claiming that users will in any meaningful way actually ever experience Brave running three times faster than its competitors.” — Steve Gibson ([27:52])

3. EU Chat Control Legislation: Encryption, Privacy & Feasibility

[31:24] - [41:25] and [86:49] - [91:17]

• Upcoming Vote: EU member countries will vote on legislation (“chat control”) mandating scanning of apps for illegal content (e.g., CSAM).

• Signal’s Response: Threatens to leave EU rather than compromise encryption.

  “If we were faced with a choice of either undermining the integrity of our encryption...or leaving Europe, we would unfortunately make the decision to leave the market.” — Meredith Whitaker, Signal President ([32:38])

• Steve’s Technical Analysis:

  • Checking content “before encryption” is being discussed, but in practice, apps don’t handle hardware directly—OS APIs abstract image/video storage.
    • “Any legislation aimed at communicating platform application…is the wrong target…legislation should be directed at the OS.”

• Practical Problems:

  • Calls for privacy-respecting, effective scanning are contradictory; you can’t scan content without breaching privacy.
  • The risk of “endless whack-a-mole” with non-compliant apps if this isn’t anchored at the OS level.

4. Broader Security News & Notable Events

Qantas Injunction on Leaked Data

[19:06]

• Australian court issues permanent injunction forbidding anyone from accessing or sharing data leaked from Qantas’ breach — Steve argues criminals will not care, sees this as “CYA” for the company.

Outlook Now Blocks SVG Images

[51:46]

• Microsoft’s Outlook (Web & new Windows app) will now not render SVG images inline due to risk of JavaScript-embedded malware in SVG files. Attachments still allowed, but not displayed automatically.

Google Drive Adds Ransomware Detection

[57:16]

• New AI-driven detection stops file sync if ransomware is detected; users can restore affected files within 25 days.

UK vs Apple Over iCloud Data

[59:03]

• UK again demands Apple provide access to UK citizens’ iCloud data; Apple is expected to respond by disabling Advanced Data Protection (full encryption) for UK users only.

Image Hosting: Imgur Leaves the UK

[76:15]

• Imgur blocks all UK access after ICO regulatory action concerning children’s data and age checks; all embedded Imgur content now fails to display for UK IP addresses.
  • Steve and Leo lament: "We're heading toward a world where determining users’ ages is a basic technical and legal requirement for online services" ([85:27]).

Discord Breach Leaks Government IDs

[92:11]

• Discord’s third-party support vendor breached; stolen data included government ID scans collected for age verification.

Salesforce Ransom/Extortion

[95:10]

• Steve critiques Salesforce’s PR-heavy response to a major extortion incident (allegedly compromising ~1 billion records).

Signal’s Triple Ratchet Upgrade

[100:22]

• Signal adds a ‘sparse post-quantum ratchet’ — a third level of cryptographic protection, making message security even more resilient.

5. Listener Feedback Highlights

iOS 26 “Liquid Glass” Effects

[112:27]

• A listener corrects Steve’s belief that iPhone 12 doesn’t support iOS 26’s new visual effects—it was due to “reduce motion/transparency” settings. Steve finds the fully animated UI “cartoony” and “over the top.”

TPM 2.0 & Windows 11 Upgrades

[120:00]

• Listener notes many PCs stuck on Windows 10 may simply need a BIOS update to enable TPM 2.0—potentially saving usable hardware from e-waste.

Notable Quotes & Moments

• On App Store Centralization:

  "The lack of alarm has been for me quite alarming. Every piece of software installed on billions of mobile devices around the world is going to be gatekept by two US companies..." — Mark, F-Droid ([137:30])

• On Regulatory Excuses:

  "Are these actions being taken in response to crime, or is crime just their excuse? No one will argue against protecting children. But whatever the reason, the outcome is the same: new gates are being erected, and with those gates come gatekeepers." — Steve Gibson ([143:13])

• Browser Wars:

  “If you were [really] 300% faster, you wouldn't have any competition.” — Steve ([29:36])

• On Age Verification and Privacy:

  “We have no way to force [personal data’s] deletion after it's served its purpose… anything that gets loose on the Internet, it's gone.” — Steve ([93:32])

• On UI Design:

  “Apple’s new user interface…jumping up and down like a spoiled infant…The best interfaces are the ones that disappear.” — Steve ([116:34])

Timestamps – Key Segments

• Brave Browser Speed Claims: [24:40] – [31:22]
• EU “Chat Control,” Signal's Stand: [31:24] – [41:25]; Addendum at [86:49] – [91:17]
• Outlook Blocks SVG: [51:46]
• Qantas Data Injunction: [19:06]
• Imgur Leaves UK: [76:15]
• Google Drive Ransomware Detection: [57:16]
• App Store Gatekeeping/Google Decree Main Story: [125:35] – [144:50]
• TPM 2.0 Listener Story (Windows 11): [120:00]
• Signal Posts Quantum Ratchet: [100:22]

Tone and Style

The conversation is relaxed, technical, and entertaining—peppered with warmth and wit, frequent asides about personal tech habits, and nostalgia for better days in open tech. The mood oscillates between concern (over regulatory overreach and loss of freedom), ironic amusement at PR spin and "AI washing," and appreciation for creative technical solutions such as the “Picture of the Week” (the math-based wallet authentication note).

Takeaways

• Google’s developer registration is a tectonic shift for alternative Android app stores—likely spelling the end for privacy-respecting, open repositories like F-Droid unless workarounds can be found.
• Brave’s speed claims are overblown—real differences come from ad/script blocking, not underlying engine improvements.
• The rise of legislation requiring user age verification and content scanning is remapping the technical (and philosophical) landscape of the Internet—with great risk to privacy, competition, and openness.
• More and more, security measures are leading to new layers of centralization, corporate and governmental gatekeeping, and shrinking zones of trust and anonymity.

[End of Detailed Summary]