It is amazing how Volkswagen keeps messing up.
I am currently in the market for a new car, an EV specifically. Volkswagen brands were at the top of my list for many reasons, among them the excellent driving assist implementation.
I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
I really do not understand VWs thinking here. It would cost them little to nothing to continue not blocking the the inofficial API and not block GrapheneOS (or other non Play Protect androids) users. It would have no adverse effects on the average Joe, but it would gain a lot of support and enthusiasm from heavy users, differentiating from other brands. Not to mention the fact that it is the USERS data in the first place
German companies, especially old school industrial ones like VW, have a very hard time understanding open platforms. The view everything through the lense of liability and compliance first. Their thinking is that if someone runs their app on a custom ROM and uses that to manipulate the app in any way, and that causes some extremely hypothetical damage, that they might be held liable for not having prevented this situation.
Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.
Same here. I'll be in a market soon and I had my eyes on a VW i4 or a Škoda Enyaq, but this makes me seriously reconsider. I really wanted to support local industry and buy a European product this time, but they are making it seriously difficult (no, don't get me even started on Stellantis).
VW is obviously not thinking that any noticable portion of the userbase uses Graphene, and someone (somewhere) is going to get a promo by making VW infra adhere to "standards" or something
I don't use Graphene, but now I'm out of the market for a VW.
Vendor lock-in to Play services is ridiculous.
A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.
> Volkswagen brands were at the top of my list for many reasons
You should definitely reevaluate how you constructed your list. VW has a history of being scummy (https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal) and their ICE cars are notorious for being unreliable compared to the Japanese car-makers. To be fair, EVs do change the equation a bit, but given their scandal plagued past, there's no way I would put them at the top of any list.
This is sadly not even the full extent of it. What they did is, they locked their api entirely for anything that is not play protect certified. That means, all the cool stuff that was doable via community-driven projects is now dead in the water.
The "app" they provide is 60% advertisement, 30% features, and I unironically preferred using a Home Assistant connection instead of of it for everything. Even for automations like "when to preheat the car", since that was easier and more intuitive outside of their native function.
This also means, that charge control from the cars side is not possible to automate anymore.
Sure, one could take the position "but it was never officially promised", but for some people, including me, having the api (which is paid btw) was a selling point.
I feel you. From my side I try to complain / rate / review every time, even if it's a low effort action, to cost them time and in the case of the regulated companies, to slightly worsen their complaint stats.
There's enough of users to start making a difference. Really, even a low effort action raising valid concerns (security theater, a lie, google's monopolistic position, anti-competitive, etc), keywords that will make their response more careful and potential complaint to the regulator more impactful.
Things like this can actually be a good way to nudge a company in the right direction sometimes. Nobody uses those internal review systems, and sometimes their stats are actually important. A handful of users might make up a really big chunk of the reviews.
In a similar vein, I once met a woman who told me how she would enter every single one of those stupid contests that you'd see printed on cereal boxes and ice cream containers because literally five people enter into those things, so you're odds of winning are surprisingly high. Apparently she won a bunch of them, but her favorite was when got a week long vacation that included going on a fishing trip with Ben and Jerry of "Ben and Jerry's".
So "Play Protect" is doing all the damage to the third-party ecosystem that it'd seemed designed for.
I've slowly but surely been moving away from any service provider of any type who does not allow me to use their service without their often Play Services-dependent app. Changing vehicles would be a lot harder though.
Driving a rental car in Germany almost makes me cheer for the ongoing bankruptcy of their auto industry. It really needs a full reset at this point. Sad thing is EU law mandates for a modem in the car as well as intrusive driving aids that actually make driving less safe by constantly driving your attention away from the road[1]. So there is no hope to get a minimally decent car in Europe in the near future, unless a wider reset also happens at the political and social level.
Whoever came up with the idea that the car should beep loudly even close to the speed limit has clearly never driven a car.
The best way to silence it is to constantly be over the speed limit or well below.
This thing makes me crazy. But I can somehow ignore my Skoda’s whining. The other car was bought months before this regulation happened and I will keep it as long as I can.
I don't know how large a group who will do this is - but if the UK bans VPNs I can see Graphene having a very large target on its back.
- Buy Pixel, Get Graphene
- Use FDroid, don't sign up for Google Play, download Tor browser
- Censorship resistant access to the internet without handing over your ID.
Pixel being a fairly popular phone in the UK is the interesting bit - if you had to buy some niche device I couldn't see it hitting more than a few hundred people doing it, but there are likely 100k pixels in the UK, and it's still possible to buy one and put Graphene on it.
The squeeze on the free internet happened so quick by the UK (well it took years of indifference and a failure to enshrine protections - but once they started moving the did so super fast)
Realistically we're speed running ID being tied to internet usage - create your escape hatch while you can!
I regret not signing up for Discord when they first introduced facial recognition and middle schoolers were trivially spoofing their ID checks with meme pics.
There's really something to be said for greedily signing up for most things and trying to get grandfathered before the zipcuffs tighten.
IRL, though, fuck this. Home depot added flock cams and broad facial recognition, grocery store installed turnstiles, haven't stepped foot in either since. I'm just dropping out of the IRL retail economy left and right.
There must be 10s of millions of x86 PCs with unlocked bioses in the UK. The issue won't be running an open device. The problem is software - what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work. The next logical step is severely limiting internet traffic.
> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
One dual-boots to a reputable Linux vendor’s signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts one’s relevant governing body to petition for the addition of that vendor’s signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).
> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work
This confidence that ‘attestation doesn’t really work’ is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestation’s threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to ‘getting some Linux into the approval list’. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.
Imagine if Linux were an app on a video game console and you start to see the outcome: it’s a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernel’s signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.
This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. I’d really prefer that to be Graphene, Ubuntu, and Valve — but Graphene’s customer base is hostile to this, Ubuntu doesn’t have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.
“Every time we see a Google Pixel, we suspect it might belong to a drug dealer,” said a police official leading the anti-drug operation in Catalonia.."
Seems like some countries/areas are already targeting the Pixel (really its because of GrapheneOS)
And some including mullvad already accept payment in crypto, there will always be some dodgy VPN company in some dodgy jurisdiction that will take your BTC in exchange for an account.
VW blocking third party to access their servers is one thing, the thing that I find shocking is that you need to access VW servers to obtain your charging data while this should be directly available locally from the car.
The historical data is aggregated in some "cloud" rather than in the car, but if you want to collect and aggregate the data locally, you can still, for now at least. Car Scanner Pro and ABRP (A Better Route Planner) are both really popular for EVs for this exact use case, and both support VW EVs; they read battery charge state / voltage / temperature and operating states (speed, consumption, etc) using both standard OBD and proprietary manufacturer diagnostic IDs over the OBD port and then redo the aggregation and math that VW are doing on their end.
I am in market for a Car within a year or two, and I promise it won't be one from Volkswagen, if a company supports OSS platforms in cars and is available in APAC I will buy from them even if it costs 2x for the same specs (preferably a Hybrid but EV works too I guess).
Google Play has been a huge drag on innovation and security in the mobile ecosystem. I'm actually looking forward to the time when AI kills the mobile app ecosystem so that every phone manufacturer can bundle their own "vibe-code-your-own-app" system with their devices, and the Google Play monopoly is broken.
I don't think that will happen. Sure for a minority of users the same as people running linux for their daily driver, and I definitely support it!
It's possible that we get to a place where everyone cooks their own meal (vibe coded app), and only goes out to eat sometimes (official app store). Spreadsheets are the same, you can get a lot of milage, and most still buy and use closed source software.
I see a future where it is easier for startups to create their own mobile devices than to deliver certain functionality through the Google and Apple platforms where your own data will be used against you and where their devices can record you 24/7 without any remediation to ensure privacy.
Let's rewind 15 years ago when everyone was jumping and praising mobile Eco-systems. Did no one ever see this happening or were most too gullible with Facebook hugs and pokes
I want a law that requires publishing your API for apps like this as well as allowing users to crate their own frontend based on it. That would enable more privacy aware versions of these apps.
Sort of, there're more posts about graphene in the year 2026 & they get much more attention. Aggregated some data and plotted it with my agent: https://boop.icu/Pr.png
It's not your car anymore, you're just renting someone else's hardware and access to their restricted platforms. Some recent cars even deny starting your car engine if the always on camera facing the driver thinks the driver isn't capable of driving "safely".
This is the WEF future your conspiracy uncle was telling you about during family gatherings. Well.
I hate that cars are every day more and more crammed with software, when car manufacturers can't seem to be able to make half-working code in the first place (looking at you Nissan, who just can't even put the correct timestamp on your GPS data points…)
My car won't let me flick the windshield wipers while the car is parked. I don't know why, maybe they think I'm throwing rain onto... already wet pedestrians? Similar problem with auto-folding mirrors. My mirror was frozen shut one day, and I didn't notice until I'd been driving for a few blocks (which is on me). Figured I'd just cycle the fold-unfold a few times to pop it free, but the button is disabled when the car is in motion.
Increasingly my vision of retirement is a life of luxury surrounded by hardware from before the internet era, things that do what I tell them, rather than telling me what I am and am not allowed to do.
I'm filling my shop with machining equipment without all the extras, but my first 6 years of retirement will be fixing those machines before I can make anything... (and family history doesn't give me good odds of living that long - which is average.)
Supporting mainstream OEM variants can already be enough of a nightmare in behavioural differences. What motivation do most companies have to support Graphene, which will be a handful of customers at best? Developers may be fine with offering a best effort support model, but legal certainly wouldn't.
The issue here is the Google-only remote attestation nonsense. It seems pointless to me. A device passing Google's attestation check tells you nothing. The device could well have malware on it and you won't know it. Integrity is a misnomer. The integrity scope is tiny.
No because that would be next to impossible, and prohibitively expensive to support for not enough gain.
If 97% of your users are on mainstream OSes, and the rest also account for disproportionately high numbers of bug reports, why should they bother supporting alternatives?
The app worked without issues until a few weeks ago. I used it for a year. It was not broken. GrapheneOS is just AOSP Android, optionally with Google Play Services.
My take is that they were trying to block rooted phones and/or custom ROMs of questionable origin and GrapheneOS just became collateral damage because all these companies do go the minimal route of using Play Integrity. GrapheneOS supports remote attestation through AOSP APIs, in fact, they have a page about it.
I think it's worth letting this be heard. GrapheneOS has > 400,000 users and is rapidly growing. Breaking things is not going to affect 5 people anymore, but thousands, ten thousands or hundreds of thousands, depending on what the app is.
Its not a different os though. Its still android. VW seems to just have turned on integrity checks which constantly cause issues for non-google androids. Plenty of banks do the same.
"Support" is such an overloaded and vague word in the software industry. What does it mean for a company to "support" an app/os configuration?
1. They deliberately target that app/os configuration, QA tests it, and answer customer support requests about it.
2. They target the configuration, QA tests it, but it's offered without customer support.
3. They target the configuration, but only release an untested build, use at your own risk.
4. They don't target the configuration at all, but the builds they do release happen to work on the configuration, totally unacknowledged by the company.
5. They don't target the configuration, and deliberately sabotage their application such that un-targeted configurations are actively blocked. Only adversarial users who hack the software are able to use it.
Too many companies say: "We can't do 1 because we don't 'support' it, therefore we must do 5!"
> If 97% of your users are on mainstream OSes, and the rest also account for disproportionately high numbers of bug reports, why should they bother supporting alternatives?
No. You're not required to use the app. You're not even entitled to use the app. If you want to use the app, you have to play by their rules. Plenty of device manufacturers have chosen to only offer iOS apps. No one talked about mandating that apps were available on competing platforms.
If you choose to use something like GrapheneOS, you are signing up for the fact that almost no one will test on your platform and plenty of things will be broken.
The app worked until a few weeks ago. GrapheneOS does not miss any functionality (nor security) for the app to work. The only change is that they started blocking non-GMS Android through the thoroughly anti-competitive Play Integrity.
Hypothetically, if GrapheneOS wanted to become a certified Android, it would probably not be blocked on technical reasons, only that becoming certified (last time a contract was leaked) requires running privileged Google Play Services (which is less secure) and pre-installing a bunch of Google apps that should not be uninstallable.
The issue here is not that they didn't test on alternative distributions of Android, the issue is that they went out of their way to prevent anything but the officially blessed distributions.
As is their right. There's nothing that says everything has to be open to everyone. There are other car companies.
This site talks at length about running businesses, identifying your target market and focusing hard on them. The same thing applies to other aspects of software.
If I ran a cross-platform app (built on Electron or whatever) and a certain platform made up 0.1% of my users but 20% of my customer support team's time, I'd stop supporting that platform. It's literally not worth the effort. And I wouldn't just let it rot (that would keep the customer support issues going), I'd block it.
Except for the fact that the car is sold as is with the features advertised (i.e. working with an Android app with no additional qualifiers as to which kind of android) AND that users are paying for these connective services
Sure the app is not required, though one loses on all of the remote-control functionality (remote start, remote climate control, etc.).
Maybe then app developers should be mandated to open fully their server-side protocols, so people can create apps for platforms that are not supported by default. No more undocumented APIs, anybody can get an API key, no API serving limits!
The solution is not to try to shame or force Volkswagen to support GrapheneOS, the solution is to (legally) force them to allow the car to run a custom CarOS, for which the community can write their own app
That's a non-starter in most countries. Since the car software is tied into a number of important safety features and regulated controls, custom operating systems will never be supported.
There are already massive problems with people miswiring head units to play videos while driving and updating their ECU to spew pollution into the air. You're not going to convince any significant number of people that it's a good idea to allow arbitrary code to run and control most of the other systems too.
> Since the car software is tied into a number of important safety features and regulated controls, custom operating systems will never be supported.
Then that's a poor design that should go the way of the dodo. Someone hacking the entertainment system should not be able to take over control of the engine. The entertainment system on planes do not allow one to hack into the autopilot. There should be no need for a firewall, they should have no shared wires between them.
They're not. Use any car's heads up display and you can configure an enormous number of things. Even if there was somehow a pure separation, things such as "playing video while the car is moving" are regulated in many jurisdictions and would land firmly in the "UI" layer.
You can detect the car is in motion or not without talking to the engine computer. Just like my phone can tell I'm in motion without connecting to the car at all. You're trying to justify a bad design with bad reasoning
You'd hope so but I fear that many safety critical aspects run on the same system as the infotainment system... And that's a perfect excuse for manufacturers to keep these things completely closed
One person's "controlling their own engines" is another "spewing nitrous oxides, carbon monoxide, and other pollutants into the air, giving cancer to neighbors and destroying the atmosphere". We tried the "don't regulate" path and it ended in a multitude of disasters.
Why should they ?! Do you also want to force them to design their cars so the engine is easily replaceable by a Custom Engine OS so that the community can build their own engines ?!?
Because laws are (mostly) a reflection of what society wants.
People are growingly concerned with both the car manu and Apple/Google control over their car and related extra software goodies.
Laws are really needed when businesses don’t play nicely. I don’t know the legal specifics, but I’m sure glad I don’t need to buy $1000’s of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).
Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesn’t work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.
That's unacceptable, because intelligence needs a way to steer your car into oncoming traffic if required to do so due to confidential national security reasons.
It is amazing how Volkswagen keeps messing up. I am currently in the market for a new car, an EV specifically. Volkswagen brands were at the top of my list for many reasons, among them the excellent driving assist implementation.
I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
I really do not understand VWs thinking here. It would cost them little to nothing to continue not blocking the the inofficial API and not block GrapheneOS (or other non Play Protect androids) users. It would have no adverse effects on the average Joe, but it would gain a lot of support and enthusiasm from heavy users, differentiating from other brands. Not to mention the fact that it is the USERS data in the first place
German companies, especially old school industrial ones like VW, have a very hard time understanding open platforms. The view everything through the lense of liability and compliance first. Their thinking is that if someone runs their app on a custom ROM and uses that to manipulate the app in any way, and that causes some extremely hypothetical damage, that they might be held liable for not having prevented this situation.
Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.
Same here. I'll be in a market soon and I had my eyes on a VW i4 or a Škoda Enyaq, but this makes me seriously reconsider. I really wanted to support local industry and buy a European product this time, but they are making it seriously difficult (no, don't get me even started on Stellantis).
Go with Dacia
VW is obviously not thinking that any noticable portion of the userbase uses Graphene, and someone (somewhere) is going to get a promo by making VW infra adhere to "standards" or something
I don't use Graphene, but now I'm out of the market for a VW.
Vendor lock-in to Play services is ridiculous.
A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.
> Volkswagen brands were at the top of my list for many reasons
You should definitely reevaluate how you constructed your list. VW has a history of being scummy (https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal) and their ICE cars are notorious for being unreliable compared to the Japanese car-makers. To be fair, EVs do change the equation a bit, but given their scandal plagued past, there's no way I would put them at the top of any list.
This is sadly not even the full extent of it. What they did is, they locked their api entirely for anything that is not play protect certified. That means, all the cool stuff that was doable via community-driven projects is now dead in the water.
The "app" they provide is 60% advertisement, 30% features, and I unironically preferred using a Home Assistant connection instead of of it for everything. Even for automations like "when to preheat the car", since that was easier and more intuitive outside of their native function.
This also means, that charge control from the cars side is not possible to automate anymore.
Sure, one could take the position "but it was never officially promised", but for some people, including me, having the api (which is paid btw) was a selling point.
Yes, I registered specifically for this comment.
I feel you. From my side I try to complain / rate / review every time, even if it's a low effort action, to cost them time and in the case of the regulated companies, to slightly worsen their complaint stats.
There's enough of users to start making a difference. Really, even a low effort action raising valid concerns (security theater, a lie, google's monopolistic position, anti-competitive, etc), keywords that will make their response more careful and potential complaint to the regulator more impactful.
Things like this can actually be a good way to nudge a company in the right direction sometimes. Nobody uses those internal review systems, and sometimes their stats are actually important. A handful of users might make up a really big chunk of the reviews.
In a similar vein, I once met a woman who told me how she would enter every single one of those stupid contests that you'd see printed on cereal boxes and ice cream containers because literally five people enter into those things, so you're odds of winning are surprisingly high. Apparently she won a bunch of them, but her favorite was when got a week long vacation that included going on a fishing trip with Ben and Jerry of "Ben and Jerry's".
So "Play Protect" is doing all the damage to the third-party ecosystem that it'd seemed designed for.
I've slowly but surely been moving away from any service provider of any type who does not allow me to use their service without their often Play Services-dependent app. Changing vehicles would be a lot harder though.
Driving a rental car in Germany almost makes me cheer for the ongoing bankruptcy of their auto industry. It really needs a full reset at this point. Sad thing is EU law mandates for a modem in the car as well as intrusive driving aids that actually make driving less safe by constantly driving your attention away from the road[1]. So there is no hope to get a minimally decent car in Europe in the near future, unless a wider reset also happens at the political and social level.
[1] https://www.youtube.com/watch?v=f-S76WEl25k
Whoever came up with the idea that the car should beep loudly even close to the speed limit has clearly never driven a car. The best way to silence it is to constantly be over the speed limit or well below.
This thing makes me crazy. But I can somehow ignore my Skoda’s whining. The other car was bought months before this regulation happened and I will keep it as long as I can.
I don't know how large a group who will do this is - but if the UK bans VPNs I can see Graphene having a very large target on its back.
Pixel being a fairly popular phone in the UK is the interesting bit - if you had to buy some niche device I couldn't see it hitting more than a few hundred people doing it, but there are likely 100k pixels in the UK, and it's still possible to buy one and put Graphene on it.The squeeze on the free internet happened so quick by the UK (well it took years of indifference and a failure to enshrine protections - but once they started moving the did so super fast)
Realistically we're speed running ID being tied to internet usage - create your escape hatch while you can!
I regret not signing up for Discord when they first introduced facial recognition and middle schoolers were trivially spoofing their ID checks with meme pics.
There's really something to be said for greedily signing up for most things and trying to get grandfathered before the zipcuffs tighten.
IRL, though, fuck this. Home depot added flock cams and broad facial recognition, grocery store installed turnstiles, haven't stepped foot in either since. I'm just dropping out of the IRL retail economy left and right.
There must be 10s of millions of x86 PCs with unlocked bioses in the UK. The issue won't be running an open device. The problem is software - what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work. The next logical step is severely limiting internet traffic.
Am currently trying to open a business bank account in the UK, several banks require running a proprietary ID validation app.
Don't use those services. You're not gonna miss most of the crap after a few weeks anyways. Everything else is consent.
> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
One dual-boots to a reputable Linux vendor’s signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts one’s relevant governing body to petition for the addition of that vendor’s signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).
> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work
This confidence that ‘attestation doesn’t really work’ is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestation’s threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to ‘getting some Linux into the approval list’. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.
Imagine if Linux were an app on a video game console and you start to see the outcome: it’s a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernel’s signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.
This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. I’d really prefer that to be Graphene, Ubuntu, and Valve — but Graphene’s customer base is hostile to this, Ubuntu doesn’t have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.
https://www.androidauthority.com/google-pixel-organized-crim...
“Every time we see a Google Pixel, we suspect it might belong to a drug dealer,” said a police official leading the anti-drug operation in Catalonia.."
Seems like some countries/areas are already targeting the Pixel (really its because of GrapheneOS)
Who said the UK is going to ban VPN?
Genuine question. That's news to me and I'm here.
The "Technology Secretary" is actively investigating it[0].
[0]: https://www.birminghammail.co.uk/news/midlands-news/new-vpn-...
When they realise their social media ban for children doesn't work
https://stateofsurveillance.org/articles/government/uk-lords...
It mostly happened already and it's in motion.
https://xcancel.com/BBCBreakfast/status/2066788360606138759
They said so. "Nothing is off the table" was the quote, iirc.
Think of the children that will bypass all of the "protections" recently adopted by the UK.
How would they even do that? A VPN is just a remote machine. Anything can be a VPN
And some including mullvad already accept payment in crypto, there will always be some dodgy VPN company in some dodgy jurisdiction that will take your BTC in exchange for an account.
I don’t think that will stop them trying though
VW blocking third party to access their servers is one thing, the thing that I find shocking is that you need to access VW servers to obtain your charging data while this should be directly available locally from the car.
The historical data is aggregated in some "cloud" rather than in the car, but if you want to collect and aggregate the data locally, you can still, for now at least. Car Scanner Pro and ABRP (A Better Route Planner) are both really popular for EVs for this exact use case, and both support VW EVs; they read battery charge state / voltage / temperature and operating states (speed, consumption, etc) using both standard OBD and proprietary manufacturer diagnostic IDs over the OBD port and then redo the aggregation and math that VW are doing on their end.
I am in market for a Car within a year or two, and I promise it won't be one from Volkswagen, if a company supports OSS platforms in cars and is available in APAC I will buy from them even if it costs 2x for the same specs (preferably a Hybrid but EV works too I guess).
Happy voting with your wallet folks. See ya.
Google Play has been a huge drag on innovation and security in the mobile ecosystem. I'm actually looking forward to the time when AI kills the mobile app ecosystem so that every phone manufacturer can bundle their own "vibe-code-your-own-app" system with their devices, and the Google Play monopoly is broken.
I don't think that will happen. Sure for a minority of users the same as people running linux for their daily driver, and I definitely support it!
It's possible that we get to a place where everyone cooks their own meal (vibe coded app), and only goes out to eat sometimes (official app store). Spreadsheets are the same, you can get a lot of milage, and most still buy and use closed source software.
Reminds me of this: https://www.robinsloan.com/notes/home-cooked-app/
I see a future where it is easier for startups to create their own mobile devices than to deliver certain functionality through the Google and Apple platforms where your own data will be used against you and where their devices can record you 24/7 without any remediation to ensure privacy.
Let's rewind 15 years ago when everyone was jumping and praising mobile Eco-systems. Did no one ever see this happening or were most too gullible with Facebook hugs and pokes
My recollection of HN 15 years ago includes a lot of annoyance with apps that could have been a website and how these walled gardens harm our freedom
Got my date wrong. What about twenty years ago?
> everyone was jumping and praising mobile Eco-systems.
Literally who?
How did you feel when android / iPhome came about with application stores?
I want a law that requires publishing your API for apps like this as well as allowing users to crate their own frontend based on it. That would enable more privacy aware versions of these apps.
Side note. Has anyone else noticed an uptick in GrapheneOS posts lately or am I crazy?
Probably because it's quickly becoming the only reasonable option on mobile
Sort of, there're more posts about graphene in the year 2026 & they get much more attention. Aggregated some data and plotted it with my agent: https://boop.icu/Pr.png
I'm glad the grapheneos support forum is proving very useful with "Why do you need a car app?" comment being highlighted by this link :D
It's not your car anymore, you're just renting someone else's hardware and access to their restricted platforms. Some recent cars even deny starting your car engine if the always on camera facing the driver thinks the driver isn't capable of driving "safely".
This is the WEF future your conspiracy uncle was telling you about during family gatherings. Well.
Easy fix --- block VW from your car owenership.
I hate that cars are every day more and more crammed with software, when car manufacturers can't seem to be able to make half-working code in the first place (looking at you Nissan, who just can't even put the correct timestamp on your GPS data points…)
My car won't let me flick the windshield wipers while the car is parked. I don't know why, maybe they think I'm throwing rain onto... already wet pedestrians? Similar problem with auto-folding mirrors. My mirror was frozen shut one day, and I didn't notice until I'd been driving for a few blocks (which is on me). Figured I'd just cycle the fold-unfold a few times to pop it free, but the button is disabled when the car is in motion.
Increasingly my vision of retirement is a life of luxury surrounded by hardware from before the internet era, things that do what I tell them, rather than telling me what I am and am not allowed to do.
I'm filling my shop with machining equipment without all the extras, but my first 6 years of retirement will be fixing those machines before I can make anything... (and family history doesn't give me good odds of living that long - which is average.)
Answer from VW:
> Please note that the use of the Volkswagen app is only supported on iOS devices and Android devices with supported operating system versions.
Is it time to mandate app developers support all operating systems for a device?
Just support a certain Android API level?
Supporting mainstream OEM variants can already be enough of a nightmare in behavioural differences. What motivation do most companies have to support Graphene, which will be a handful of customers at best? Developers may be fine with offering a best effort support model, but legal certainly wouldn't.
That's a starting point, but it seems the VW app is using a Google SDK for integrity checks, so maybe we need certain SDKs to be banned.
The issue here is the Google-only remote attestation nonsense. It seems pointless to me. A device passing Google's attestation check tells you nothing. The device could well have malware on it and you won't know it. Integrity is a misnomer. The integrity scope is tiny.
No because that would be next to impossible, and prohibitively expensive to support for not enough gain.
If 97% of your users are on mainstream OSes, and the rest also account for disproportionately high numbers of bug reports, why should they bother supporting alternatives?
The app worked without issues until a few weeks ago. I used it for a year. It was not broken. GrapheneOS is just AOSP Android, optionally with Google Play Services.
My take is that they were trying to block rooted phones and/or custom ROMs of questionable origin and GrapheneOS just became collateral damage because all these companies do go the minimal route of using Play Integrity. GrapheneOS supports remote attestation through AOSP APIs, in fact, they have a page about it.
I think it's worth letting this be heard. GrapheneOS has > 400,000 users and is rapidly growing. Breaking things is not going to affect 5 people anymore, but thousands, ten thousands or hundreds of thousands, depending on what the app is.
Its not a different os though. Its still android. VW seems to just have turned on integrity checks which constantly cause issues for non-google androids. Plenty of banks do the same.
> expensive to support
"Support" is such an overloaded and vague word in the software industry. What does it mean for a company to "support" an app/os configuration?
1. They deliberately target that app/os configuration, QA tests it, and answer customer support requests about it.
2. They target the configuration, QA tests it, but it's offered without customer support.
3. They target the configuration, but only release an untested build, use at your own risk.
4. They don't target the configuration at all, but the builds they do release happen to work on the configuration, totally unacknowledged by the company.
5. They don't target the configuration, and deliberately sabotage their application such that un-targeted configurations are actively blocked. Only adversarial users who hack the software are able to use it.
Too many companies say: "We can't do 1 because we don't 'support' it, therefore we must do 5!"
> If 97% of your users are on mainstream OSes, and the rest also account for disproportionately high numbers of bug reports, why should they bother supporting alternatives?
Because of those bug reports, very few may be specific to the non-mainstream OS? https://news.ycombinator.com/item?id=28978086
No. You're not required to use the app. You're not even entitled to use the app. If you want to use the app, you have to play by their rules. Plenty of device manufacturers have chosen to only offer iOS apps. No one talked about mandating that apps were available on competing platforms.
If you choose to use something like GrapheneOS, you are signing up for the fact that almost no one will test on your platform and plenty of things will be broken.
The app worked until a few weeks ago. GrapheneOS does not miss any functionality (nor security) for the app to work. The only change is that they started blocking non-GMS Android through the thoroughly anti-competitive Play Integrity.
Hypothetically, if GrapheneOS wanted to become a certified Android, it would probably not be blocked on technical reasons, only that becoming certified (last time a contract was leaked) requires running privileged Google Play Services (which is less secure) and pre-installing a bunch of Google apps that should not be uninstallable.
How is that not anti-competitive?
The issue here is not that they didn't test on alternative distributions of Android, the issue is that they went out of their way to prevent anything but the officially blessed distributions.
As is their right. There's nothing that says everything has to be open to everyone. There are other car companies.
This site talks at length about running businesses, identifying your target market and focusing hard on them. The same thing applies to other aspects of software.
If I ran a cross-platform app (built on Electron or whatever) and a certain platform made up 0.1% of my users but 20% of my customer support team's time, I'd stop supporting that platform. It's literally not worth the effort. And I wouldn't just let it rot (that would keep the customer support issues going), I'd block it.
Except for the fact that the car is sold as is with the features advertised (i.e. working with an Android app with no additional qualifiers as to which kind of android) AND that users are paying for these connective services
Here it is, the true hacker mentality.
Understanding how those around you operate makes you no less of a hacker.
It can even make you a great/better one…
They don’t just understand, they basically promote it.
It felt more resigned than promotional to me; but yes, normalization is a fine line!
Increasingly these kinds of apps are a requirement for a lot of features so ...
Sure the app is not required, though one loses on all of the remote-control functionality (remote start, remote climate control, etc.).
Maybe then app developers should be mandated to open fully their server-side protocols, so people can create apps for platforms that are not supported by default. No more undocumented APIs, anybody can get an API key, no API serving limits!
Unfortunately, Volkswagen has an API, but made it much harder to use it since a few weeks ago:
https://news.ycombinator.com/item?id=48319509
"tEsT yOuR PlatTfORM"
Fuck that.
The solution is not to try to shame or force Volkswagen to support GrapheneOS, the solution is to (legally) force them to allow the car to run a custom CarOS, for which the community can write their own app
That's a non-starter in most countries. Since the car software is tied into a number of important safety features and regulated controls, custom operating systems will never be supported.
There are already massive problems with people miswiring head units to play videos while driving and updating their ECU to spew pollution into the air. You're not going to convince any significant number of people that it's a good idea to allow arbitrary code to run and control most of the other systems too.
> Since the car software is tied into a number of important safety features and regulated controls, custom operating systems will never be supported.
Then that's a poor design that should go the way of the dodo. Someone hacking the entertainment system should not be able to take over control of the engine. The entertainment system on planes do not allow one to hack into the autopilot. There should be no need for a firewall, they should have no shared wires between them.
Those two set of systems are separate and very distinct.
They're not. Use any car's heads up display and you can configure an enormous number of things. Even if there was somehow a pure separation, things such as "playing video while the car is moving" are regulated in many jurisdictions and would land firmly in the "UI" layer.
You can detect the car is in motion or not without talking to the engine computer. Just like my phone can tell I'm in motion without connecting to the car at all. You're trying to justify a bad design with bad reasoning
People watch videos on their phone while drive and will continue to do so no matter what infotainment OSes allow or don't allow.
You'd hope so but I fear that many safety critical aspects run on the same system as the infotainment system... And that's a perfect excuse for manufacturers to keep these things completely closed
“Users shouldn’t be same to control their own engines actually” hmm well ok then
One person's "controlling their own engines" is another "spewing nitrous oxides, carbon monoxide, and other pollutants into the air, giving cancer to neighbors and destroying the atmosphere". We tried the "don't regulate" path and it ended in a multitude of disasters.
You can regulate emissions without preventing custom tunes
May I introduce you to the "rolling coal" morons?
Could it be a right-to-repair issue? That seems to be the only legal wrench available for forcing automakers to open up access to anything.
Why should they ?! Do you also want to force them to design their cars so the engine is easily replaceable by a Custom Engine OS so that the community can build their own engines ?!?
Because laws are (mostly) a reflection of what society wants.
People are growingly concerned with both the car manu and Apple/Google control over their car and related extra software goodies.
Laws are really needed when businesses don’t play nicely. I don’t know the legal specifics, but I’m sure glad I don’t need to buy $1000’s of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).
Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesn’t work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.
Next thing you know these dirtbags are going to want to choose what wheels and tires to put on these things. The nerve!
(Yes, repairability and standardization are encouraged where feasible.)
That's unacceptable, because intelligence needs a way to steer your car into oncoming traffic if required to do so due to confidential national security reasons.