Look at the attack vectors that are actually being used, and address them specifically, with minimally invasive measures.
If the problem is apps that allow remote control of your device, that people can be socially engineered into installing, put up barriers to gaining just that permissions. That approach would actually help motivate the problem (as scammers can now just use Google-approved apps for such things).
If the problem is ads that are pushing scams, Google could start with eradicating them from their own network. They seem to be the primary source. And, god forbid, perhaps even offer an ad blocker integrated in Android. (Yeah, I know.)
If the problem is scammers pretending to be a friend or family member in need of help though social apps, Google could force these apps to help users identify these cases (using local privacy friendly heuristics is course) for inclusion in the Play Store. And no, they wouldn't be able to demand the same from apps installed from elsewhere, but that should be firmly outside of their sphere of responsibility. And casual users would be extremely like to stick with the default app store anyhow.
Note that all three of these proposals provide a measure of safety from the problems they are addressing much larger than what Google is attempting by banning all non-Google-authorized applications.
I am quite genuinely curious what you think the best solution to prevent someone instructing a tech illiterate person over the phone to click through every permission warning about a malicious app they're installing is? No amount of scary menus will work. I feel like they only have 2 options, which is to limit some permissions without any exceptions (making their platform more closed), or make it harder to install apps as a whole.
If there is literally "No amount of scary menus will work." then those people cannot use computers. So long as they can transfer money with it, or do another action that a scammer may want to do, then the scammer can tell them to do it. They should not be allowed to install banking apps with that logic and need a legal guardian to manage their digital belongings
If the solution is that nobody has control of their digital life anymore (see also attempts to require client-side scanning and verify user age, which don't work if said user can override it) then we've lost sight of the bigger picture
It's not clear at all that a scammer is on the phone, instructing people to click through every warning that they see while sideloading a malicious app. As I stated up thread, the majority of these scams are happening through apps in the Play Store.
To address your question, there should be a straightforward option during device setup. If you're first attaching your account to the device, you simply check a box that says this is an advanced user's phone. You can put it behind the same kind of scary pop-ups that web browsers have when they're about to serve you an HTTP page, or when the HTTPS certificate is self-signed.
It's the most obvious, straightforward, user-friendly approach, and it was never even discussed.
> the most obvious, straightforward, user-friendly approach, and it was never even discussed
Fwiw, it was "discussed" in the sense that the person we're arguing with meant upthread ("let's discuss a good solution instead of this boring repetitive outrage"), but it's not like Google listens to that so any such discussion is pointless anyway. It is indeed the obvious solution and it comes up in each of these threads, but believers like GP can always be new rationalizations of why Google doesn't implement one proposal or another
> It's not clear at all that a scammer is on the phone, instructing people to click through every warning that they see while sideloading a malicious app.
Google claims this to be a very common or majority attack vector.
"The Global Scam Report also found that scams were most often initiated by sending scam links via various messaging platforms to get users to install malicious apps and very often paired with a phone call posing to be from a valid entity."
> If you're first attaching your account to the device, you simply check a box that says this is an advanced user's phone.
I completely agree this is a perfectly valid solution but what about those who already setup their device? The security of the checkbox only works if you click it before someone attempts to scam you.
All they say is that the apps are malicious, though. The majority of malicious apps distributed on Android are through the Play Store. I really wish they would provide concrete details here because I just don't believe that this is all hinging on sideloading.
I think it's a problem where the only solutions are worse, on the whole, than the disease.
Probably the best option would be the ability to lock down your own device somehow (i.e. put the toggle in the opposite direction by default). This at least lets others around someone vulnerable to this protect them (and probably much more effectively, as the controls can be a lot tighter than 'we once saw an ID we believed was real')
If the problem is apps that allow remote control of your device, that people can be socially engineered into installing, put up barriers to gaining just that permissions. That approach would actually help motivate the problem (as scammers can now just use Google-approved apps for such things).
If the problem is ads that are pushing scams, Google could start with eradicating them from their own network. They seem to be the primary source. And, god forbid, perhaps even offer an ad blocker integrated in Android. (Yeah, I know.)
If the problem is scammers pretending to be a friend or family member in need of help though social apps, Google could force these apps to help users identify these cases (using local privacy friendly heuristics is course) for inclusion in the Play Store. And no, they wouldn't be able to demand the same from apps installed from elsewhere, but that should be firmly outside of their sphere of responsibility. And casual users would be extremely like to stick with the default app store anyhow.
Note that all three of these proposals provide a measure of safety from the problems they are addressing much larger than what Google is attempting by banning all non-Google-authorized applications.