“On August 31, we’ll start rolling out these requirements for anyone creating new Play Console developer accounts. In October, we’ll share more information with existing developers about how to update and verify existing accounts.”
Source: happened to me and all of my apps despite them being Free Software and offline-only. Here's one of the emails they sent me about it: https://i.imgur.com/dVzQj2p.jpeg
Notice how they open with “Hi Developers at [my first and last name]” – developers, plural, and “at” like they only expect me to be a company and not a single person.
The DUNS number thing is such a disaster even for companies with it. We had a the account under a DUNS of a subsidiary but somehow they wanted us to upload verification docs for the main company, of course not matching exactly how they expect, and there is no way to change it without jumping through a bunch of hoops. Similar issues at Apple. Eventually they let us verify the account with "company letterhead" as if that proves anything (despite them insisting the letterhead needs to say dev@company.com instead of support@company.com, again proving nothing really)
For both Apple and Google it's one of those processes where the support doesn't even really seem to understand how it works (they probably don't know what automated emails are being sent, and what the dev side looks like). They would randomly close cases for "no response" immediately after they replied, ask us to upload something despite their being no way to upload it, tell us to ignore the "your account will be closed email" because it actually won't be (wrong again), etc.
DUNS own lookup page doesn't even let you look up by DUNS number (so we could figure out what company some ancient number was associated with). I bet it's because you have to pay for one of their "solutions" to do this.
It seems like to Google, "customers" will only ever be anonymous data points in an A/B test.
They would have gone down quickly if they hadn't "borrowed" Overture's business model of paid ads.
They have no culture of valuing the customers, or (like Amazon) obsessing about what they need.
Apple is at least slightly different: hardware customers and high-value employees are treated okay from what I hear, but devs are left alone.
Indie developers bring both Apple and Google a lot of revenue indirectly, but they don't really have much of a lobby (maybe they should unionize/hire a lobby firm together).
Why would # of app submissions to be what they test on? It’s revenue to Google. Wouldn’t surprise me if many of the apps that stopped appearing were free apps. Why junk through 20 hoops to make no money?
Indie developers are a nothing burger for Apple. It came out in the Epic trial that over 90% of App Store revenue comes from the major game companies with pay to win games and loot boxes.
I get where you're coming from and I find it just as bad how individual devs are being treated - but talk with some of your family members and non-tech friends about what they've got installed on their phones... And what they'd miss if it got removed.
It's gonna be
1. Social media / chat / SMS apps
2. Games (not one specific one - they'd be fine if any one game is removed, because alternatives exist)
Most if them will not even have a single app installed that can remotely be categorized as indie developed.
There are countless indie devs around that make great games etc - they're just not being discovered by normal people.
Following the money insinuates that is by design, but there is no proof for that... Only circumstantial evidence like the previously mentioned statistic of app store revenue and the way they treat individuals. But still no conclusive proof and both can be argued to be coincidences (i.e. because of low user count they don't consider them important to their platform, hence low visibility in store etc)
Personally, I find it highly suspect that the app/play store so heavily favors apps/games that are borderline user-hostile. Especially if I look to probably the only mainstream store that's looks pretty neutral to me: Steam.
Here your often get 1-4 dev projects hitting the charts. It makes you wonder if the same would happen if Valve became just as profit oriented and started to siphon money via in-app/game purchases too
Probably something more like a trade organization/association would be better. Like the Dairy Farmers Association. Which may or may not hire lobbyists.
It’s not hard. Start a 501(c)3, ask for members to donate and/or pay dues, hold some annual conventions (paid for by vendors) to evangelize the broader mission(s) and recruit new members, hire lobbyists to pursue the collective interests of members, rinse/repeat.
Yeah, DUNS numbers are super easy IME for companies to get, but its hell after that. We had some crazy problems with the App Store where our legal address with DUNS didn't match what we provided Apple, even though we had updated it with D&B, but Apple's systems weren't pulling in that update, Apple told us to talk to D&B, D&B told us to talk to Apple... we ended up literally just making a new corporation and starting from scratch.
I first encountered Electronic Data Interchange in the early 90's. The small shop I worked for at the time had no idea and just wanted to make the parts they quoted and send them when done.
The EDI request came in a box, with external modem, a paper with phone number and directions and then a smaller box with PROGRESS database software for MSDOS in side and a handful of disks containing the EDI system.
Good lord that was painful! I just plowed through it and all that pain completed a check box at Honeywell, who then sent us jobs electronically!
Yes, via FTP.
The CAD they were sending was Computer Vision and it was a full on solid model representation! At the time we were running CAD from the early enlightenment, CADKEY 3.5 for MSDOS!
Our best micro computer lacked the storage to handle the uncompressed file, which arrived on another handful of floppies that formed a multi part. Zip file, which uncompressed totaled about 40 megabytes and change! Entire systems only had 20!
The CAD system failed to translate the data too. 16bit pointers lacked the range needed. They had me fetch a patch a day or two later and it took a few hours to do.
300 kilobytes of wireframe CAD, and the parts we made were basically 5 percent of that data!
FTP can be as secure as any other protocol. Enabling encryption on the server side is generally as simple as installing a certificate and turning on an option. And most FTP clients will default to using encryption if it is available; for the clients that don’t do that, it’s just another server option to require clients to use encryption.
> And when companies say they use FTP to exchange data, they don't tend to mean SFTP. They really do mean FTP.
Because SFTP is a different and entirely unrelated protocol. The encrypted version of FTP is sometimes known as FTPS, but it’s really just a variant of FTP. So it would be inaccurate to call it SFTP, but referring to it as simply FTP doesn’t imply a lack of security.
> The AUTH command is generally sent before encryption of the connection is made.
So…? What is the danger of negotiating an encryption protocol over plaintext? No credentials or sensitive information are sent via the AUTH command, and a server that disallows unencrypted connections will simply refuse to go any further with a client that doesn’t support encryption.
> It’s also vulnerable to a huge swathe of timing and weak hash attacks.
Gonna need a source on that. And even if such attacks potentially exist, in the use case you mentioned above I’m still not seeing how encryption combined with, for example, IP whitelisting can’t effectively be as secure as anything else you could use.
I mean, if they’re really not using encryption then yeah, that’s stupid and all bets are off. But there’s nothing inherently insecure about the FTP protocol.
Negotiation over plaintext is a vulnerability, yes.
Neither side of the pipe is secured, so absolutely everyone inbetween is a MITM waiting to happen. Someone else can negotiate what encryption gets used. Such as the still supported MD5 signing-only.
Which also means your IP whitelisting does bupkus, unless you trust every single interchange of your, and your clients, telcos.
It’s only a vulnerability if you’re using vulnerable encryption methods, at which point you’ve already introduced a vulnerability. You could make the exact same argument about STARTTLS vs implicit TLS, but it’s generally understood that, as long as the only allowable protocols are themselves secure, there is no difference in security between the two.
No, the negotiation is in plaintext. You don't get to choose whether or not you use a vulnerable encryption method.
That same problem in STARTTLS is how we ended up with CVE-2011-0411.
> The TLS protocol encrypts communication and protects it against modification by other parties. This protection exists only if a) software is free of flaws, and b) clients verify the server's TLS certificate, so that there can be no "man in the middle" (servers usually don't verify client certificates).
There's no certificate verification in FTPS - it's too early - so you're screwed. [1]
FTPS is the vulnerable encryption method. It's the reason that SFTP is recommended, and FTPS is not. [2]
Validation issues happen all the time for subsidiaries when the parent company likes to own/manage things. Always fun when e.g. EV certificate validation (sigh windows update stuff) calls the parent company reception and asks for the manager listed as owner, and they just go "who?".
The One Weird Trick I learned was to to get a company attorney to write a professional opinion letter saying that you are indeed authorized to get a cert on behalf of your company.
Incredible experience with this: our App Store account was from an acquired company that was no longer doing business. The Apple representative requested documentation that the no longer in use LLC was in fact, no longer in use.
When I requested what documents they might think a defunct LLC was creating that would prove it was defunct, they didn't have an answer. Same as others we ended up just making a new fucking developer account.
Same issue but we actually got the account assigned to the new company, but I think the DUNS was still the old company so any time they require verification (e.g. for trader status), the account is stuck in some weird state that is halfway between two companies.
This happens to Google Cloud partners all the time, too, when there are acquisitions, mergers, or DBAs where the legal business entity changes even though the practical relationship stays the same (with the same people, same contact details, same billing/payment accounts, same contract terms, etc). It's extremely irritating.
Both Apple and Google need to be regulated. Their vice grip on app distribution, app defaults, search defaults, payments defaults, user credential saving defaults, messaging defaults, browser defaults, and then their brutal taxation of almost all web e-commerce and businesses is beyond the scale of whatever Standard Oil had.
You cannot do business on the Internet without paying the Apple and Google toll. They control all the points of ingress and egress, and they tax everything that moves.
It'd be bad enough if they were just charging money, but they also make you jump through hoops to design software their way, do unplanned upgrades to their cadence, prevent you from deploying emergency hot patches, prevent you from updating software dynamically, prevent you from knowing your own customer, etc. etc. etc.
And they're happy to sell your competitors ads to outrank you for your own trademark.
These companies need to lose their control over this. Web distributed apps must become the norm.
You can't tell me that with sandboxing, signature scanning, and some clever heuristics, that we can't make mobile completely safe for free and open distribution.
For reference, the regulation you are probably referring to is Article 30[1] and Article 31[2] of REGULATION (EU) 2022/2065 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act).
Article 30 requires capturing and vaguely defined validation of the following information supplied by a trader (includes traders of software):
- the name, address, telephone number and email address of the trader;
- a copy of the identification document of the trader or any other electronic identification as defined by Article 3 of Regulation (EU) No 910/2014 of the European Parliament and of the Council;
- the payment account details of the trader;
- where the trader is registered in a trade register or similar public register, the trade register in which the trader is registered and its registration number or equivalent means of identification in that register;
- a self-certification by the trader committing to only offer products or services that comply with the applicable rules of Union law.
Article 31 requires at least the following trader information to be displayed to potential buyers:
- name;
- address;
- telephone number;
- email address;
- clear and unambiguous identification of the products or the services;
- information concerning the labelling and marking in compliance with rules of applicable Union law on product safety and product compliance.
Do you think I somehow personally chose where my apps would be more popular or less popular? If they wanted to cut off my apps in only European regions due to European regs it would be disappointing but understandable.
It's amazing to me that there are some people that will go to these lengths to defend the profits of one of the largest corporations in the world.
At no point does it even occur to you that Google are already bending you over a table with their cut, and you're already white knighting for them even in a completely hypothetical situation.
Do you have very strong investments on Google? Otherwise, I really can't explain why an entrepreneur would ever think the way you do.
It's not just getting a DUNS number. You also need to consent to having your home address (no PO box or virtual mailbox, needs to be a physical address for your "business") listed publicly on the DUNS website and on all your Google Play Store app pages.
Other app stores are similar, so probably it's some dumb government regulation.
I created a free, offline, opensource app on Google Play, no monetization or payments, as an individual. When this change rolled out I was required to verify my identity and set up a payment profile or else my app and account would be deleted.
After I went through half of the process, they showed a "here's what your users will see on the play store listing under 'About the developer' section!" This included my full legal name, personal email address, and country, which is enough information to find my home address and other information in public registries. This app serves an online community that can be quite crazy and I was absolutely not going to doxx myself to them. I decided I had enough of Google so I gave the app away to a company
- email address is just the one associated with the Google account, it sucks if you started the application on your personal google account, but you can still change it
- you need a payment profile to pay the account fee + verify your identity, the last part is probably very important for anti-spam
- I can understand that legal name + country can be considered doxxing, but I think it's highly relevant information for users
Of course these requirements could be relaxed for low-risk applications (i.e. no INTERNET permission), but I think it's understandable there is so few of them nowadays that it is not a priority.
In what way is knowing the full legal name of a developer relevant to end users? I work in the App Store analytics space and even I have never once thought “I wonder what the full legal name and address of the app developer is. I’d love to drive to their place physically or mail a letter 1800s style to discuss their app”
The most I’d ever wonder about is maybe their country of origin.
For the 1 in 10,000 case of someone actually legitimately suing someone, publicly showing this info to everyone will also create a 100% chance of being sent spam or phishing emails with your real name and country, 1 in 2 chance of some troll signing you up for something nasty, 1 in 50 chance of someone ordering pizza to your house that you have to pay for, 1 in 500 chance of an angry user demanding you add some feature or delete the app else he'll do something bad with your information, 1 in 1000 chance of being SWATted, etc...
If your app is something that's currently politically controversial (e.g. it's an app for trans people), multiply these probabilities by 10.
I didn't make these rules. Just pointing out why this stuff is flowing down hill from government regulations and the overreaction of the private companies who have in the business model no allowance for nuance or human intervention at scale. Make rules so tight that people who are neither paid nor empowered to make decisions can enforce it.
If people don't want to be accountable for their app in any way, maybe they just don't have to have their apps out there. There are other venues, app stores, sideloading, where apps can be put up by random people with no verifiable information and even less trustworthiness than some random app from play store.
F-Droid allows random people with no verifiable information to publish apps, and AFAIK there's never been a single case of malware or something malicious.
The same can't be said about Google Play where I can usually find malware at any time with specific search queries. These are apps that should have never been approved in the first place because they're blatantly impersonating another app.
The people who make this malware won't be accountable, because they don't register their own developer account and verify their own identity. They go around emailing the contact email of every small developer on Google Play, saying that they'll buy their developer profile or pay for them to upload an app. I got many such emails as it is.
Yeah, I wanted to add that it may be less of a problem when there's source code, but sideloading and third party app stores includes apps that don't have source code available, like random loose apks people just download and install, or just third party stores that aren't open source oriented (like game stores, phone maker stores, etc.) Checking source code is also not an option on play store itself, so they might want to have some other ways of verifying where something comes from and letting other people check something for themselves.
No it wouldn't be "fair" and it's not just if you want to monetize your app. D-U-N-S number is required for developer account creation regardless of whether you plan to monetize or not.
They didn't explicitly ask for a home address, just a physical address. But for a hobbyist dev, home address is probably all you have so effectively that's what they're asking for. Or for you to rent an office somewhere, which I guess is what they wanted you to do by asking for a commercially zoned adddress.
There’s even more than that, actually: if you’re an individual developer you also need 10 people to beta-test your app for 2 weeks, along with having your home address listed online. Google really doesn’t wan’t anyone who isn’t a company developing apps for Android lol
Ran into this myself late last year. Registered as an individual developer for a free, non-monetized app and had to find 20 people (they reduced the number since) to sign up (and remain signed up) as beta testers for a 2 week period to get the app listed.
Luckily I was able to hit that number (the app is a stat tracking app for the game Destiny 2, so I was able to get beta testers via posting on a subreddit filled with Destiny 2 PvP players). But it took way longer and was way more of a burden compared to getting the same app listed on both the Apple App Store and the Microsoft Windows Store (the app is written in Kotlin/Compose Multiplatform and was relatively easy to make multiplatform).
If I didn't happen to be an Android "main" myself (creating a vested interest in wanting to make the Android version easily available) I might not have bothered with the Play Store hoops give how much of a pain in the ass it was compared to the other listings.
Watching it happen, it also felt like hurdle after hurdle kept being added (in addition to the never-stopping API level treadmill).
Even if I were OK with jumping through the current set of hurdles, the promise of a never-stopping hurdle-jumping exercise with new requirements being thrown at me every quarter is not exactly encouraging for anyone who actually has a life outside of developing their apps.
>Google really doesn’t wan’t anyone who isn’t a company developing apps for Android lol
I mean, it's Android. You can publish an app yourself or through an alternative app store. Given that you have options on the platform I don't have a big problem with Google enforcing pretty stringent requirements on their own store. In fact I prefer a pretty clear dividing line between trusted apps in the Play Store and 3rd party apps at your own risk. There was so much crap in the Play Store it was often hard to tell what's a scam and what wasn't.
I’m currently working with a startup that was just incorporated. We needed to join the Apple Developer Program to get APNS push certs to set up our MDM.
It took over five weeks to get our ADP membership approved, and that was with internal backchannels. We had to launch without MDM, all the laptops on mostly default settings.
These companies are making so much money from ads and rentseeking and IAP cancer that they have zero incentive to do anything else well. They know they have a monopoly position, so just like the public utilities charging you an extra $2 convenience fee to pay your bill, you’ll shut up and take it, because they are the only game in town.
You know it, and they know it, and they know you know it.
At least on Android you can install f-droid. On iOS they are the only game in town. There’s fuck-all that’s “insanely great” about not being able to install the programs you want to use (such as Fortnite).
It’s just how they choose to operate. It’s not a force of nature, it’s an engineered customer-hostile circumstance.
Apple weren’t always service-revenue shitheads, it’s a new thing. The company is nearly 50 years old, and for most of it they didn’t treat their customers and developers with contempt.
Exactly, I happened to have long running apps, in the store, I didn't update them for some time but they were simple and working as designed, good for their job.
Suddenly there was this weird obligation to declare a company or disclose publicly info about me, so i did nothing and it expired, and they removed the app.
I saw many solo devs recommend switching to an LLC company to avoid the hassle Google introduced since late 2023, but it doesn't seem to be an easy task either. I've already witnessed two experiences:
The process for getting a DUNS number and getting it approved by Apple was such a nightmare. Even when I did everything correctly, I got flagged for some unspecified reason that required a bunch of extra back-and-forth. I didn't even want to list on the app store - just to allow other people to run some music-related code I wrote without getting stomped by Gatekeeper.
I haven't tried the specific flow for private individuals (seems to just be a radio button), but I do recall getting DUNS numbers as just filling in an online form with name and location and getting the number by mail, without any hoops for fees.
A bit silly to require for private individuals, and a bit annoying to have to go back and do, but not itself a big deal.
> I do recall getting DUNS numbers as just filling in an online form with name and location and getting the number by mail, without any hoops for fees
Having to do it at all is the hoop, and more than zero hoops is too many. I got nothing out of having my apps on Google Play except the joy of sharing in what was at the time a new and exciting medium.
See Windows Phone for a great example of how it would have played out if Google hadn't successfully courted small-time devs like me and countless others. Corporate publishers would have never colonized Google Play in the first place if an audience wasn't already there. The way they addressed me makes it very clear that solo devs are no longer needed, so I will never submit to it on principle no matter how easy it's claimed to be.
Having to do it at all is the hoop, and more than zero hoops is too many.
For sure, but it's a KYC for companies. How else would you expect B2B dealings and compliance to go through? They could do tax ids per country, but with DUNS, compared to local tax id, they get global ultimate beneficial owner as well as other insights. Getting a DUNS is free and relatively fast, unless you're in a hurry then there's a faster route that costs some relatively cheap amount. It's a common ID for global companies, especially those with international supply chains to rely on as "the id number" for companies.
Doing business is orthogonal to being a company, and depending on your country, some "company" forms are just VAT filing registrations for an individual itself with no independent legal status. What you normally call a company is something that behaves as an independent legal person.
However, it may be legally required to register a proper company if your yearly business volume exceed a certain value - check local rules - but it may also be perfectly fine to do business as an individual below that volume, in which case the legal entity is just you.
(The alternative to being a business in a transaction is being a consumer)
No, you didn't read that wrong. It does seem like intention is that individuals cannot publish (publish, not write) software for playstore if they cannot operate as a business; Individuals actually can operate as a business as a sole proprietorship aka soleprop which can and do have a DUNS number and is a legit way of doing business. Individuals without any sort of business entity attached to them do not get a DUNS number attached to them.
Doing business and registering a company (a separate legal person) are orthogonal concepts that are specific to local legislation. You can do business as a private individual, and various "company" forms in various countries are not actually companies but just VAT/financial registrations for the individual itself and have no legal status of its own. Whether you need to register a company form depends on local rules and may be subject to e.g. volume limits (e.g., okay below 10k USD annual).
The alternative to being s business in s transaction is being a consumer (as in B2C), and you're obviously not a consumer when publishing an app.
Going through hoops usually refer to an excessive effort.
Having to go through between zero (it you have needed the number before) and one free forms from a standard entity to get a widely recognized identifier used for many things is objectively not an excessive effort.
Sharing apps on app stores is a continuous commitment with various responsibilities like, such as ensuring safety of users through regular maintenance. If the idea if submitting one number is too much of a burden given the joy/finances you get out of it, then the rest of the maintenance responsibilities likely are too and maybe it's better to skip the publishing part.
Not sure what you're on about with corporate colonization. Colonizing implies forcefully taking what was rightfully someone elses. Also, in many places, making a company is just a form and standard practice even if you're just going to sell a single bogus app for 0.99 USD or whatever, so even individuals will be "corporations".
While I believe some of the (App|Play Store) requirements with DUN numbers and such are overkill and unnecessary, I also agree that there’s maybe a bit too much of a tendency for devs (commercial and indie alike) to take advantage of less restrictive means of distribution to “dump and run”, where they toss a binary over the wall and forget the project even exists for long stretches of time, even as bugs and vulnerabilities accumulate.
This worked alright in the 90s and to a more limited extent in the 2000s, but from the 2010s onward it’s become more and more untenable except for the most simplistic of software, especially when it comes to anything dealing with the internet or externally sourced files. Regular maintenance and updates are an unavoidable fact of life for devs.
So I’m kind of two minds here. Lower resistance/barrier to entry can be good in terms of encouraging participation, but it also inevitably means a lot more neglected projects sitting around rusting. If there’s no effort to control that, platforms can easily become filled with rusty half-functional apps. The way that Apple/Google are attempting to do this is not great however because it’s too oriented towards companies.
No they were set out in the contract you agreed to when publishing which has commitments and grants entirely orthogonal to your source license. Plus certain moral obligations to society.
Your license text is only capable of adding supplementary rights, and you're responsible for ensuring that your source license is fully compatible with the contract at time of publishing.
If you just want to dump stuff, leave it on GitHub.
The linked source only mentions DUNS only being required for organization accounts, not individuals? And I've recently successfully created an account (albeit haven't published an app yet) without one?
Uh huh, Google just blatantly requiring every app developer on the planet to register with some specific random company. Absolutely no corruption to see here, none at all.
This is the kind of shit why smartphone vendors can't be trusted with their own walled garden stores, the EU has not yet stomped them into mulch hard enough yet I see.
The irony of your comment thinking the EU is going to fight this.
The DUNS number is the European Commission standard for business identification; the choice of D&B isn’t random, it literally came from EU requirements.
Yeah, it's surprising how badly the EU as a government has fumbled the crucial job of business identification by outsourcing it to an American company.
And we keep wondering about why there are so few world changing companies coming out of Europe. Maybe they could start with one that handles business identification?
It's really shocking to me that the EU would demand people use a US corporation for something that really needs to be done by national governments. I think the corruption might be on our end in this case, time to write my MEP or whatever.
Which EU-based government(s), though? The implication I get is that is under your proposal, the dev(s) would have to register with almost every EU countries out there.
Well no, the store/Google/Apple would need to support entering compatible data with all systems, like with addresses or phone numbers and doing any integration to verify data if need be.
Each dev would only be in the registry of their own country, as they already need to be for tax related reasons anyway. I'm not sure why we need duplicated databases.
“On August 31, we’ll start rolling out these requirements for anyone creating new Play Console developer accounts. In October, we’ll share more information with existing developers about how to update and verify existing accounts.”
Source: happened to me and all of my apps despite them being Free Software and offline-only. Here's one of the emails they sent me about it: https://i.imgur.com/dVzQj2p.jpeg
Notice how they open with “Hi Developers at [my first and last name]” – developers, plural, and “at” like they only expect me to be a company and not a single person.