IdeaWell

Project ideas from Hacker News discussions.

Open Letter to Google on Mandatory Developer Registration for App Distribution

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

1. Security vs. Freedom
The core of the debate is whether Google’s new “developer‑verification” policy is a necessary safety net or an over‑reach that robs users of choice.
- “Google doesn’t care one bit about civil society; it cares about power to itself even if this means punching freedom and liberty in the face.” – OutOfHere
- “I don’t want some apps to be distributed anonymously… but many apps are benign.” – verdverm
- “People want the ability to decide for themselves whether or not to install some APK, they are not saying every APK under the sun is trustworthy.” – bigstrat2003

2. Effectiveness of Google’s Current Measures
Many participants question whether the existing Play‑Store safeguards actually stop scams or merely create a false sense of security.
- “The play store and apple app store both contain malware.” – array_key_first
- “Google’s announcement in Nov 2025… illustrates this threat clearly.” – dfabulich (link to blog)
- “Existing measures are sufficient” is a claim that “has no evidence to support it.” – marcprux

3. Alternative or Complementary Approaches
Instead of blanket registration, commenters propose more targeted or open‑source solutions.
- “A related approach might be mandatory developer registration for certain extremely sensitive permissions, like intercepting notifications/SMSes….” – dfabulich
- “F‑Droid already doesn’t use significant permissions… so that might work.” – glenstein
- “Use hardware‑bound phishing‑resistant credentials (passkeys) and avoid SMS 2FA.” – microtonal, tadfisher

4. Power, Surveillance, and Antitrust Concerns
The policy is seen as a tool for Google to tighten its monopoly and potentially enable state‑level monitoring.
- “Google will be able to track who’s using a particular app… and perhaps added to a terrorist list.” – OutOfHere
- “The only solution is to require developer licensing and insurance like general contractors have.” – iamnothere
- “Google is a monopoly and Apple is not. The irony is the more open player was deemed more anticompetitive.” – andyferris

These four themes capture the main strands of opinion in the discussion.

🚀 Project Ideas

PermissionGuard

Summary

  • A lightweight CLI and browser extension that scans APKs for sensitive permissions (SMS, notifications, contacts, etc.) and automatically flags them for developer verification.
  • Provides a clear, auditable trail of which apps require extra scrutiny, reducing the risk of malicious side‑loaded apps.

Details

Key Value
Target Audience Android developers, security researchers, and power users who sideload apps
Core Feature Permission‑based verification workflow + automated identity check for high‑risk permissions
Tech Stack Python/Go CLI, Chrome/Firefox extension, REST API, PostgreSQL, Docker
Difficulty Medium
Monetization Revenue‑ready: subscription for enterprise scanning + open‑source core

Notes

  • HN commenters like verdverm and glenstein want a targeted gate for notification/SMS apps. PermissionGuard gives that without locking down all sideloading.
  • The tool can be integrated into CI pipelines for open‑source projects, making it useful for F‑Droid maintainers.

PasskeySecure

Summary

  • A native Android app that replaces SMS‑based 2FA with FIDO2 passkeys, automatically generating and storing passkeys for any bank app that supports it.
  • Provides a fallback “SMS‑to‑passkey” bridge for legacy banks, ensuring users never expose OTPs to malware.

Details

Key Value
Target Audience Android users who rely on SMS 2FA, especially in Southeast Asia
Core Feature Passkey generation, automatic credential provisioning, SMS interception only for passkey conversion
Tech Stack Kotlin, Android Jetpack, WebAuthn API, SQLite, Firebase Cloud Messaging
Difficulty Medium
Monetization Hobby (open‑source)

Notes

  • Addresses microtonal and tadfisher concerns about SMS interception.
  • Users can opt‑in to the SMS‑to‑passkey bridge, keeping the app lightweight for those who already use passkeys.

DecentraStore

Summary

  • A decentralized, community‑run app store that uses a blockchain‑backed reputation system for developers and automated malware scanning.
  • Allows sideloading without a central gatekeeper while still providing trust signals for users.

Details

Key Value
Target Audience Android enthusiasts, open‑source developers, privacy‑conscious users
Core Feature Smart‑contract‑based developer identity, reputation score, automated static/dynamic analysis pipeline
Tech Stack Ethereum (or Polygon), IPFS, Rust, WebAssembly, React
Difficulty High
Monetization Revenue‑ready: small listing fee + optional premium analytics for developers

Notes

  • Responds to btreesOfSpring and glenstein calls for a robust, distributed store.
  • The reputation system deters malicious actors while keeping the store open to legitimate indie projects.

ScamShield Academy

Summary

  • An interactive, gamified training platform that teaches users how to spot and avoid phone‑based scams, phishing calls, and malicious app installations.
  • Integrates with Android to provide real‑time alerts and quizzes during suspicious activity.

Details

Key Value
Target Audience Elderly users, non‑technical phone owners, parents of vulnerable family members
Core Feature Scenario‑based quizzes, push‑notification alerts, progress tracking, community leaderboard
Tech Stack Flutter, Firebase, Node.js, PostgreSQL
Difficulty Medium
Monetization Revenue‑ready: subscription for premium content + corporate licensing for banks

Notes

  • Directly tackles scoofy and h3lp frustrations about “security theater” and the need for better user education.
  • Banks can bundle the app with their onboarding to reduce fraud losses.

Read Later