It is amazing how Volkswagen keeps messing up. I am currently in the market for a new car, an EV specifically. Volkswagen brands were at the top of my list for many reasons, among them the excellent driving assist implementation.
I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
I really do not understand VWs thinking here. It would cost them little to nothing to continue not blocking the the inofficial API and not block GrapheneOS (or other non Play Protect androids) users. It would have no adverse effects on the average Joe, but it would gain a lot of support and enthusiasm from heavy users, differentiating from other brands. Not to mention the fact that it is the USERS data in the first place
German companies, especially old school industrial ones like VW, have a very hard time understanding open platforms. The view everything through the lense of liability and compliance first. Their thinking is that if someone runs their app on a custom ROM and uses that to manipulate the app in any way, and that causes some extremely hypothetical damage, that they might be held liable for not having prevented this situation.
Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.
If they have concerns about the security of their app on some platform, they have the choice to either put "security" into the app, or to trust the platform vendor to provide the security. The correct solution is the first way. Deferring trust to the platform provider is the lazy way.
If their APIs are done correctly, they shouldn't be afraid to expose them.
VW didn’t seem too concerned with compliance when they were rigging their pollution tests.
That was just engineers engineering their way into creating Electrify America :)
I am pretty sure that was not the engineers, but someone higher up the food chain ordering people to do that. I might be wrong, but maybe I missed the obvious "/s" or "/i" here.
They'd have you know they actually cared a bit too much about said compliance itself.
*appearance of compliance
Them cheating the tests WAS them ensuring THAT compliance.
In fact, that's how a lot of compliance works in industries where there's little little enforcement and relies a lot on self regulation.
I mean, the only reason they did it was to be able to comply with the requirements of the test.
But the reality is that every once in a while you have a scandal like this or something like Wirecard, and it happens, because the culture is such that absolutely nobody thinks it possible. That includes officials and regulators whose first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.
>because the culture is such that absolutely nobody thinks it possible
Only naive laymen or newcomers to Germany think it's not possible. German business leaders, lawyers and politicians know exactly how much corruption and scamming is going on in the business sector, and it's not a little.
>first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.
That was purely malicious to try to protect Wirecard, not because the regulators couldn't possibly imagine corruption and law breaking exists, that was the story they used as cover for their corruption.
Like you're a regulator and instead of doing the thing you were hired for and look at the evidence The Economist showed you, you instead "use your instincts" to decide not to do your job and not look into Wirecard because you can't imagine something bad can ever happen? Come on! All those regulators should have been fired and tried for corruption and/or accessory to crime.
If I had to guess it’s liability concerns around the app-based remote unlock and parking + R155 and CRA. A lot of european companies have moved to require attestation in their apps, likely spurred on by the CRA.
But why? I'd understand (though not approve) them tightening down everything about the car firmware to the max. They are responsible for the app, sure (it's a "digital element"), but they aren't responsible for the OS the app runs on. The CRA should not be used as an excuse to enact stupid restrictions.
Yeah sure, the company behind Dieselgate and single handedly destroyed the diesel market is worried about compliance? Give me a break.
VW is large enough that different parts of the company can have very different opinions.
That itself though speaks for a broken company culture. If one part of the company is completely disaligned with the values of good engineering, why should anyone still trust the company as a whole? It seems they at the very least severely lack a good vision then, to uphold the company values or what should be the company values.
I mean, the app services department doesn't exactly have a track record of perfect compliance (privacy) either, so there is that.
You don't understand, both comes from the same motivation and way of thinking: You see, compliance in Germany is about pretending to be super-compliant and not getting caught. Everyone will do the dance, make all the moves, and if you seem to make all the moves, you are assumed to be compliant. Supervisory authorities will not really check thoroughly except if you are annoying them or making them look bad. Especially if you are partially state-owned like VW.
In Dieselgate VW got caught, made the supervisory authorities and politicians look bad, which is why the authorities also weren't inclined to sweep it under the rug completely. They just shielded VW from the financial consequences in Germany (German VW customers got shafted).
Blocking GrapheneOS is the useless "pretending" part of compliance. They don't really want to do security, because that would cost money, so they pick some actions that seem drastic, harsh and don't cost them anything to implement. Later, when there is a security incident, they will point to their huge heap of pretend compliance, whine a bit about state sponsored actors, high criminal intent and other obvious deflecting bullshit. But they will get away with it, because they did the compliance dance, so they are obviously compliant and did nothing wrong. Nobody in authority will look twice als long as they are neither annoyed or made to look bad.
tl;dr: compliance in Germany is performative
I've had the same Golf since I bought it new in 2014. I like my Golf, so it should be an easy sale for VW to sell me a replacement.
However, VW just seem to make gaff after gaff. Collecting information they shouldn't, exposing information they shouldn't have to hackers via lax security practices.
How many rakes can a company step on?
Now, they're blocking GapheneOS? They've got two hopes of selling me another 'Dub.
(Bob and No).
VW is obviously not thinking that any noticable portion of the userbase uses Graphene, and someone (somewhere) is going to get a promo by making VW infra adhere to "standards" or something
Actually we need to force our European governments to use services that do not depend on foreign services (ie. Google or Apple). Then I guess it will only then become obvious to them how crazy the situation has become.
The company's have done their thing to ensure that the average guy wouldn't even try escaping their lock-in. So chances are becoming smaller and smaller to hope for a critical mass of users to complain.
I don't use Graphene, but now I'm out of the market for a VW.
Vendor lock-in to Play services is ridiculous.
A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.
It's ridiculous, but are we only saying that because we're on HN or is it because the portion of the userbase who thinks it's actually a bad thing is the larger one?
Who cares if it's the larger one, so long as they are the correct one?
VW, presumably.
I think there was no specific thinking in that space at all. They went for attestation of the app for security reasons of the API and their testing only runs on normal android and iOS devices. Consequently, they realized later this and write a response pointing to their tested platforms.
So understanding why they drop it is IMHO easy. Understanding why they use only attestation based API despite and forcing their third party ecosystem out is stupid. Companies do not understand open communities.
Same here. I'll be in a market soon and I had my eyes on a VW i4 or a Škoda Enyaq, but this makes me seriously reconsider. I really wanted to support local industry and buy a European product this time, but they are making it seriously difficult (no, don't get me even started on Stellantis).
Mercedes has some interesting EV options, and they have some models at the moment that are not necessarily that expensive. Through the grapevine I overheard something about surplus production due to mandate to build a certain number of EVs.
If you don’t want/need a new car, the used car market in Germany is pretty active with EQAs and EQBs.
Renault makes good electric vans.
Not quite an SUV, but maybe fits the same use case?
Go with Dacia, though their EVs seem to have very low range.
2022 Dacia Sandero is a great car. Analog buttons, good build quality, well designed. And it’s cheap.
Possibly the single ugliest recent car though
And yet still has more personality than the latest Ferrari.
What else was on your list? Haven't looked seriously but WV, kia, Polestar has been on my list.
I'm kinda glad that it's VW blocking GrapheneOS users in a cynical way. When my parents got a VW Jetta they never stopped complaining about it and never bought one again. So it tracks that they'd also be the car manufacturer to block GrapheneOS and stomp on their user's privacy.
It's an easy market to win at this point. The bar has been lowered so much. Already have a nice car? Just don't display utter disdain for your user's privacy and you get our $$.
> Volkswagen brands were at the top of my list for many reasons
You should definitely reevaluate how you constructed your list. VW has a history of being scummy (https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal) and their ICE cars are notorious for being unreliable compared to the Japanese car-makers. To be fair, EVs do change the equation a bit, but given their scandal plagued past, there's no way I would put them at the top of any list.
I currently own a 10 year old Seat Leon with not a single out of maintenance repair (if we ignore the cosmetic repair due to a wildlife encounter). My parents have owned multiple VW vehicles, with each of these lasting >15 years without major issues. I know they have a reputation of being unreliable compared to Toyota, but that hasn't been my personal experience and equally important: they do not look like a Toyota. And Mazda has awful EVs
Putting these factors aside: they are usually cheaper than their peers in insurance and they have dealerships absolutely everywhere. I've had multiple Skoda and VW EV rentals and the experience has been nothing but pleasant. Hence my priorities.
> their ICE cars are notorious for being unreliable compared to the Japanese car-makers.
I always read this online, but my personal experience in EU doesn't match that at all in quite a sample of people and cars over the last ~15 years. At least not for older cards. The reliability after 100k km seems to be somewhat similar.
The repairability of VW-group stuff in 3rd party services is soo much better and cheaper. The WV-group is huge and many models across the brands share same parts and full engines. There exist non-OEM alternatives and people know how to fix those cars.
I have never bought new car. But driving anything but VW got expensive fast.
Toyota cars can have bespoke parts even between different months of the same year for the same model. Continuous improvement isn't really that cool for cars.
The keyword here is "in the EU".
Outside Western Europe, VW is priced like a premium upmarket brand (not quite luxury). Maintenance and general upkeep for a VW are easily two to three times the cost of an equivalent Japanese car.
Which wouldn't be an issue if the cars were actually built to their price point. But the VW cars we get here are shittier versions built in nasty factories. They break down if you look at them wrong. The build quality is nonexistent. They are absolutely an awful deal, no matter how you look at them. You also have to personally import parts from wherever they're available, because otherwise only the dealerships have parts and they are absurdly overpriced.
Also, European brands are afraid of exporting EVs. If you want an EV, you buy a Chinese car. There is no other option. It is as simple as that.
The emissions scandal is completely different, because in that case they were illicitly making the car work better for its owner.
Unless, of course, said owner cared for the environment
Said owner cares about their experience above the environment. Sure people care about the environment, but it is always lower than all the other factors in their personal list of things they worry about.
That is why so many rich fly private jets to environment conferences. People put Greenpeace and similar bumper stickers on their SUVs that never go off road and rarely have more than one person inside. They care about the environment, but only when it doesn't impact anything else in their life.
They can always drive less frequently or more slowly, that's within their power.
As opposed to the rest of the auto industry which has a stellar track record of adhering to emissions and fuel economy regulations /s
https://en.wikipedia.org/wiki/Diesel_emissions_scandal https://en.wikipedia.org/wiki/Defeat_device
And they lobbied governments to keep the tests a joke (e.g. test emissions on downwhill roads):
https://www.theguardian.com/environment/2015/sep/24/uk-franc...
Of course the governments probably lobbied for this stuff because it improves their car industry tax profits/employment numbers.
They all cheated and everyone knew it. It was the only way diesels could be so economical yet so powerful.
This is sadly not even the full extent of it. What they did is, they locked their api entirely for anything that is not play protect certified. That means, all the cool stuff that was doable via community-driven projects is now dead in the water.
The "app" they provide is 60% advertisement, 30% features, and I unironically preferred using a Home Assistant connection instead of of it for everything. Even for automations like "when to preheat the car", since that was easier and more intuitive outside of their native function.
This also means, that charge control from the cars side is not possible to automate anymore.
Sure, one could take the position "but it was never officially promised", but for some people, including me, having the api (which is paid btw) was a selling point.
Yes, I registered specifically for this comment.
I feel you. From my side I try to complain / rate / review every time, even if it's a low effort action, to cost them time and in the case of the regulated companies, to slightly worsen their complaint stats.
There's enough of users to start making a difference. Really, even a low effort action raising valid concerns (security theater, a lie, google's monopolistic position, anti-competitive, etc), keywords that will make their response more careful and potential complaint to the regulator more impactful.
Things like this can actually be a good way to nudge a company in the right direction sometimes. Nobody uses those internal review systems, and sometimes their stats are actually important. A handful of users might make up a really big chunk of the reviews.
In a similar vein, I once met a woman who told me how she would enter every single one of those stupid contests that you'd see printed on cereal boxes and ice cream containers because literally five people enter into those things, so you're odds of winning are surprisingly high. Apparently she won a bunch of them, but her favorite was when got a week long vacation that included going on a fishing trip with Ben and Jerry of "Ben and Jerry's".
I feel like that should be a warranty claim. You sold me one car with a specific set of features and now you've updated it into a different one lacking those features. It's not the same car. You broke it. Fix it or pay me for it's value.
So "Play Protect" is doing all the damage to the third-party ecosystem that it'd seemed designed for.
I've slowly but surely been moving away from any service provider of any type who does not allow me to use their service without their often Play Services-dependent app. Changing vehicles would be a lot harder though.
Developers have to go out of their way to implement triggering Play Integrity API checks in their app and then retrieve the results to check on their services. They're putting a lot of effort into banning anything not licensing Google Mobile Services. It's definitely not a security feature since it permits devices with no security updates for more than 8 years but not a far more secure OS than anything Google certifies. Google doesn't allow GrapheneOS to obtain certification and certification comes with highly anti-competitive rules which would be completely unacceptable. Their licensing system has been ruled illegal in South Korea and other countries should not only do the same but ban the Play Integrity API and other related anti-competitive features. These are not actual security features and that's an excuse for the actual purpose of enforcing their GMS licensing model including forcing including a bunch of Google apps with extremely privileged access and using their builds of many OS components shipped from the Play Store.
Driving a rental car in Germany almost makes me cheer for the ongoing bankruptcy of their auto industry. It really needs a full reset at this point. Sad thing is EU law mandates for a modem in the car as well as intrusive driving aids that actually make driving less safe by constantly driving your attention away from the road[1]. So there is no hope to get a minimally decent car in Europe in the near future, unless a wider reset also happens at the political and social level.
I recently saw a reportage about emergency call-takers. As you watch them work you'll notice they get an automatic call from the crashed car long before any human calls them, presumably from that modem.
I'm not arguing that the modem should be mandatory, or that you shouldn't be able to control what it does. But forcing car vendors who want to built in a modem to make this modem do an automatic emergency call by default, that seems quite sensible. Even more sensible would be if the modem did nothing unless you allow it, except when it detects that crash, but... profits.
That is one of the best, most profound and prescient videos I have ever seen.
Whoever came up with the idea that the car should beep loudly even close to the speed limit has clearly never driven a car. The best way to silence it is to constantly be over the speed limit or well below.
Probably made worse by the fact that _every_ VW brand car I’ve driven has read about 10% high on the speedometer. I think I’m going 100 kph, but timing using the km markers on the highway show I’m going about 90.
When I talked to the dealers, they said that the speedometers only have to be accurate +/- 10% according to the SAE specifications.
After DieselGate I assumed that the high reading was to game the fuel consumption game.
Never again, VW auto group…
I have a GTI and with cruise control on, the speedo and my phone's gps reads exactly the same speed.
Just use the speed reported by your GPS. Most navigation apps show the GPS-based speed.
This thing makes me crazy. But I can somehow ignore my Skoda’s whining. The other car was bought months before this regulation happened and I will keep it as long as I can.
I don't know how large a group who will do this is - but if the UK bans VPNs I can see Graphene having a very large target on its back.
- Buy Pixel, Get Graphene
- Use FDroid, don't sign up for Google Play, download Tor browser
- Censorship resistant access to the internet without handing over your ID.
The squeeze on the free internet happened so quick by the UK (well it took years of indifference and a failure to enshrine protections - but once they started moving the did so super fast)
Realistically we're speed running ID being tied to internet usage - create your escape hatch while you can!
There must be 10s of millions of x86 PCs with unlocked bioses in the UK. The issue won't be running an open device. The problem is software - what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work. The next logical step is severely limiting internet traffic.
The first wave will be to mandate ID verification for online services. Some people will then start using p2p services, so the next step is to ban devices that can run non-approved software. Probably having your own VPS running your own software will also not be allowed. And like that, all the avenues for escaping control will be closed… for your safety, of course.
I think a lot of them already do, considering you can do things like digitally sign legally binding contracts.
Am currently trying to open a business bank account in the UK, several banks require running a proprietary ID validation app.
Don't use those services. You're not gonna miss most of the crap after a few weeks anyways. Everything else is consent.
> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
One dual-boots to a reputable Linux vendor’s signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts one’s relevant governing body to petition for the addition of that vendor’s signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).
> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work
This confidence that ‘attestation doesn’t really work’ is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestation’s threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to ‘getting some Linux into the approval list’. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.
Imagine if Linux were an app on a video game console and you start to see the outcome: it’s a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernel’s signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.
This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. I’d really prefer that to be Graphene, Ubuntu, and Valve — but Graphene’s customer base is hostile to this, Ubuntu doesn’t have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.
Linux intends to be left out of all this attestation garbage because it completely undermines the point of fully owning and controlling your own devices. I don't want or need to ask permission before I run a program - not from random megacorporations, and ESPECIALLY not from any of the various governments. If some third party service wants to make sure I'm not doing anything nefarious, they should do it at the border of their servers and the services they offer.
> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
So, in the scenario posed (quoted above again for context) that I’m responding to, where the government has mandated attestation online, it seems like you’re arguing that Linux should continue to opt-out of attestation, and thus be forced into non-internet uses only. Do I misunderstand your intended outcome to the scenario here? I took for granted that Linux users would want to retain access to the internet as a critical priority, given how strongly they’re objecting to attestation of internet apps (and eventually internet access), but if I’m mistaken then I’m happy to reverse course!
>signed/sealed OS image
This way we will just have unremovable age verification, spyware, online accounts to use the os, name another bs from other vendors. What's the point of Linux then? The moment big corps and the state can seal spyware into your computer, they'll happily do it.
I'd rather have a separate burn device with whatever os for state services which lives in a faraday cage most of the time and have a proper OS I control on the main device than give somebody control over it.
I’m with you in spirit, but the ship is sinking, man. Your arguments were already made in the 90s when the first puff of smoke from all this was on the horizon. Thirty years of chicken little later, I’ve moved past being upset about this and am trying instead to persuade the Linux community to step up before the window of opportunity closes on GP computing altogether. Do something, act, if you want a better future; or do nothing if you don’t. What actions do you suggest people take in support of your viewpoint?
Make the installer KISS. Linux installation still hold the complex verbose jargon.
"Starting anaconda", "Enable Kdump", on anything RedHat.
Debian spews an ancient terminal window of options upon options and who knows how to install Arch.
Linux installation has never been click, click go and installation wizards are still designed for tech enabled and not the common user.
We have a helicopter on Mars yet they still can't master a installation wiziard.
[delayed]
I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it.
When you accept government gift in approval consider it tapped. At any point they can return to the vendor and go "install this". No? Okay bye to your certification.
Call me paranoid.
> I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it.
I bet you would, though, if the built OS image were 100% reproducible except for the signature. Once you have a fully reproducible Linux OS build, you can literally copy paste the cryptosig from the vendor and it will work with the image you built yourself from source that you inspected yourself. Then it’s impossible for the government to tap it without breaking the reproducible image checksum and thus the published cryptosig. It’s a better defense than any warrant canary would be, and it satisfies your concerns fully.
Arch shows only 15 packages left for their core OS to be built reproducibly; what I don’t see at their dashboard is the state of their ISO build reproducibility, but I imagine that’s the same as the core, so maybe it’s just unstated for obviousness. https://reproducible.archlinux.org/
Does GrapheneOS publish their repro build efforts as a dashboard anywhere?
> I bet you would, though, if the built OS image were 100% reproducible except for the signature.
CryptoSecure, depends how done but again, neither can be fully trusted when they were headed by government agencies in the past.
I don't trust Linux now that Microsoft got mits on it with WSL. RedHat sold-out to IBM and Debian got in bed with Canonical. Arch & Valve I might lead more too but then again I guess they've got to make money somehow.
I use FreeBSD and I don't trust that either unless I can do make install world.
https://www.androidauthority.com/google-pixel-organized-crim...
“Every time we see a Google Pixel, we suspect it might belong to a drug dealer,” said a police official leading the anti-drug operation in Catalonia.."
Seems like some countries/areas are already targeting the Pixel (really its because of GrapheneOS)
It is far more likely that it is due to scams and grifts that pretend to be GrapheneOS, associated with GrapheneOS, or based on GrapheneOS, rather than GrapheneOS itself. Criminals tend to be not that bright.
I regret not signing up for Discord when they first introduced facial recognition and middle schoolers were trivially spoofing their ID checks with meme pics.
There's really something to be said for greedily signing up for most things and trying to get grandfathered before the zipcuffs tighten.
IRL, though, fuck this. Home depot added flock cams and broad facial recognition, grocery store installed turnstiles, haven't stepped foot in either since. I'm just dropping out of the IRL retail economy left and right.
Who said the UK is going to ban VPN?
Genuine question. That's news to me and I'm here.
The "Technology Secretary" is actively investigating it[0].
[0]: https://www.birminghammail.co.uk/news/midlands-news/new-vpn-...
Apologies for the youtube shorts link, but Liz Kendall was on LBC yesterday talking about VPNs:
https://youtube.com/shorts/WvHl3G6KojI
I believe they're "doing research" into it, which basically means they don't understand how any of it works.
When they realise their social media ban for children doesn't work
https://stateofsurveillance.org/articles/government/uk-lords...
It mostly happened already and it's in motion.
They said so. "Nothing is off the table" was the quote, iirc.
Think of the children that will bypass all of the "protections" recently adopted by the UK.
How would they even do that? A VPN is just a remote machine. Anything can be a VPN
Like in Russia
- drop wireguard / OpenVPN packets crossing the country border
- analyze https traffic to detect traffic patterns not matching https fully and block such connectionsAnd some including mullvad already accept payment in crypto, there will always be some dodgy VPN company in some dodgy jurisdiction that will take your BTC in exchange for an account.
I don’t think that will stop them trying though
VW blocking third party to access their servers is one thing, the thing that I find shocking is that you need to access VW servers to obtain your charging data while this should be directly available locally from the car.
The historical data is aggregated in some "cloud" rather than in the car, but if you want to collect and aggregate the data locally, you can still, for now at least. Car Scanner Pro and ABRP (A Better Route Planner) are both really popular for EVs for this exact use case, and both support VW EVs; they read battery charge state / voltage / temperature and operating states (speed, consumption, etc) using both standard OBD and proprietary manufacturer diagnostic IDs over the OBD port and then redo the aggregation and math that VW are doing on their end.
I've seen some great successes using HomeAssistant combined with one of these that connects your vehicle's various CANbuses (via OBD port) to Wifi/BLE. https://www.meatpi.com/products/wican
Google Play has been a huge drag on innovation and security in the mobile ecosystem. I'm actually looking forward to the time when AI kills the mobile app ecosystem so that every phone manufacturer can bundle their own "vibe-code-your-own-app" system with their devices, and the Google Play monopoly is broken.
I don't think that will happen. Sure for a minority of users the same as people running linux for their daily driver, and I definitely support it!
It's possible that we get to a place where everyone cooks their own meal (vibe coded app), and only goes out to eat sometimes (official app store). Spreadsheets are the same, you can get a lot of milage, and most still buy and use closed source software.
Reminds me of this: https://www.robinsloan.com/notes/home-cooked-app/
I see a future where it is easier for startups to create their own mobile devices than to deliver certain functionality through the Google and Apple platforms where your own data will be used against you and where their devices can record you 24/7 without any remediation to ensure privacy.
Unlikely for most. For some situations yes, but for most situations customers are going to demand that you work with their existing phone.
Let's rewind 15 years ago when everyone was jumping and praising mobile Eco-systems. Did no one ever see this happening or were most too gullible with Facebook hugs and pokes
My recollection of HN 15 years ago includes a lot of annoyance with apps that could have been a website and how these walled gardens harm our freedom
Got my date wrong. What about twenty years ago?
In 2006, before Android, the iPhone, or app store existed? Were you even alive 20 years ago?
> everyone was jumping and praising mobile Eco-systems.
Literally who?
The app-devs were salivating on striking it rich on a garbage app.
The rest of us groan when we hear "DOWNLOAD OUR APP" or grocery stores that want you to install their spyware coupon app.
These days, nost apps are just data exflitrators, spyware portals, and surveillance pricing initiatives, wrapped up with a "FREE THINGY" wrapping.
My 2016 car has the old version of Android auto. My phone has the new one, I think from 2019 or 2020. They are incompatible. Did I miss something by not integrating my phone with my car? I don't think so. I call with Bluetooth and navigate with the screen of the phone. The only thing I'm using is the mic and speaker of the car. The mic is probably substantially better than any earpiece I could buy, because I suspect that it's designed to filter out noises from the car and from the road.
> In my opinion, the most useful next step is to contact Volkswagen support in a coordinated and technically precise way [...] Smartphone: Google Pixel Operating system: GrapheneOS
I strongly recommend saying that operating system is one of "Android" (there are many variants), "Android (GrapheneOS)", or "GrapheneOS Android".
But if you say only "GrapheneOS", you are practically telling VW to respond that they do not support that operating system.
I had a used 2016 VW Golf and it was a lemon. It would have an average of one serious problem a month. I finally gave up being a professional car maintainer and dumped it, taking a huge loss because it was effectively worthless on the car market despite only being 8 years old. Fun car to drive, but what's the point if it doesn't work reliably? I completely lost my trust for VW vehicles after that.
Not surprising to me at all that their software is a similar high quality experience, but in general I think it's weird that cars have to be connected to the Internet anyways and I doubt the competition is substantially better.
I am not a lawyer, but this is clearly illegal under EU law.
As a EU citizen, please sign this petition https://www.change.org/p/eu-data-act-durchsetzen-autoherstel...
I want a law that requires publishing your API for apps like this as well as allowing users to crate their own frontend based on it. That would enable more privacy aware versions of these apps.
https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty... from 1975, but is has more of what you were asking for than you might guess. And it was written about info-tainment systems (radios).
I am in market for a Car within a year or two, and I promise it won't be one from Volkswagen, if a company supports OSS platforms in cars and is available in APAC I will buy from them even if it costs 2x for the same specs (preferably a Hybrid but EV works too I guess).
Happy voting with your wallet folks. See ya.
Isn't this for the same reason why you can't do banking on an unlocked bootloader phone?
There's no way to verify the integrity of the system, and any malicious app can just grab your banking credentials or enable criminals to unlock and drive away with your car.
GrapheneOS requires a locked bootloader and supports using deveice attestation via the generic attestation functionality in the Android Open Source Project.
Play integrity is an anticompetitive tool that ignores this, and artificially limits itself on GrapheneOS. It is not due to any incompatibility.
> or enable criminals to unlock and drive away with your car
Has this ever happened?
The VW app can't do remote unlock so that's not a problem. It allows you to turn on the aircon or start charging and that's about it. That only works 50% of the time anyway.
Actually, it can (at least for my combination of country and vehicle).
Modern cars are such enshittified garbage. I was in a modern Toyota recently and every time you start it, the screen shows a "Guest mode activated" that you need to explicitly dismiss. The only way to disable this is to install some stupid Toyota app which I would never install. Then you dismiss the popup and the home screen is "Experience Drive Connect" which is some stupid Toyota subscription which I would never subscribe to. What a piece of garbage. I'd probably just disconnect the whole screen entirely.
Tell the dealer you won't buy unless they disable all that garbage. They may say they can't, and if they let you walk out maybe they really can't. Then ask them for a discount so you can replace the head unit with one that doesn't spy on you.
Side note. Has anyone else noticed an uptick in GrapheneOS posts lately or am I crazy?
Probably because it's quickly becoming the only reasonable option on mobile
GrapheneOS has an official partnership with a large OEM (Motorola), has near perfect app compatibility, is constantly improving upon user experience, and has been well known and regarded in the privsec community and by many trusted security experts. It appears to be gaining more mainstream awareness as a result.
Oh, and Android 17 has been released so there is hype for that.
Sort of, there're more posts about graphene in the year 2026 & they get much more attention. Aggregated some data and plotted it with my agent: https://boop.icu/Pr.png
Can you add CopperheadOS data 2014-2018 and AndroidHardening Project from 2018-2019?
Easy fix --- block VW from your car ownership.
It's not your car anymore, you're just renting someone else's hardware and access to their restricted platforms. Some recent cars even deny starting your car engine if the always on camera facing the driver thinks the driver isn't capable of driving "safely".
This is the WEF future your conspiracy uncle was telling you about during family gatherings. Well.
The conspiracy uncle was right after all.
"You will own nothing and be happy" - WEF Prime Objective.I hate that cars are every day more and more crammed with software, when car manufacturers can't seem to be able to make half-working code in the first place (looking at you Nissan, who just can't even put the correct timestamp on your GPS data points…)
My car won't let me flick the windshield wipers while the car is parked. I don't know why, maybe they think I'm throwing rain onto... already wet pedestrians? Similar problem with auto-folding mirrors. My mirror was frozen shut one day, and I didn't notice until I'd been driving for a few blocks (which is on me). Figured I'd just cycle the fold-unfold a few times to pop it free, but the button is disabled when the car is in motion.
Increasingly my vision of retirement is a life of luxury surrounded by hardware from before the internet era, things that do what I tell them, rather than telling me what I am and am not allowed to do.
I'm filling my shop with machining equipment without all the extras, but my first 6 years of retirement will be fixing those machines before I can make anything... (and family history doesn't give me good odds of living that long - which is average.)
> when car manufacturers can't seem to be able to make half-working code in the first place (looking at you Nissan, who just can't even put the correct timestamp on your GPS data when car manufacturers can't seem to be able to make half-working code in the first place (looking at you Nissan, who just can't even put the correct timestamp on your GPS data points…)
Nissan sells a ton of cars to subprime borrowers, quality isn’t exactly their focus. Hyundai/Kia and Stellantis also target the same buyers.
Kia's GPS datapoints are pretty low effort (you only get a few, median distance between two points being 30km) but at least they aren't wrong!
Answer from VW:
> Please note that the use of the Volkswagen app is only supported on iOS devices and Android devices with supported operating system versions.
Is it time to mandate app developers support all operating systems for a device?
My daily driver is a de-Googled LineageOS device, but I purchased a $50us iPhone SE 3 for FaceTime.
I have moved most of the my finance activity to it, along with my license and passport. I would never trust a Google device with this much, and the convenience has been profound in a few circumstances.
I would relegate any intrusive apps here, and happily deny them cross-app tracking privileges.
Just support a certain Android API level?
Supporting mainstream OEM variants can already be enough of a nightmare in behavioural differences. What motivation do most companies have to support Graphene, which will be a handful of customers at best? Developers may be fine with offering a best effort support model, but legal certainly wouldn't.
The funny thing is, nothing needs to be done to support GOS. GOS has 99% android app compatibility. The issue isnt that GOS requires changes in the app to support it, rather, the tools they are using explicitly ban non-certified OSs.
Dont let their boilerplate responses fool you, tools like play integrity only serve to push anticompetitive practices. The claims about not being able to support GOS are nonsense, and all they did was break existing support.
That's a starting point, but it seems the VW app is using a Google SDK for integrity checks, so maybe we need certain SDKs to be banned.
The issue here is the Google-only remote attestation nonsense. It seems pointless to me. A device passing Google's attestation check tells you nothing. The device could well have malware on it and you won't know it. Integrity is a misnomer. The integrity scope is tiny.
No. You're not required to use the app. You're not even entitled to use the app. If you want to use the app, you have to play by their rules. Plenty of device manufacturers have chosen to only offer iOS apps. No one talked about mandating that apps were available on competing platforms.
If you choose to use something like GrapheneOS, you are signing up for the fact that almost no one will test on your platform and plenty of things will be broken.
The app worked until a few weeks ago. GrapheneOS does not miss any functionality (nor security) for the app to work. The only change is that they started blocking non-GMS Android through the thoroughly anti-competitive Play Integrity.
Hypothetically, if GrapheneOS wanted to become a certified Android, it would probably not be blocked on technical reasons, only that becoming certified (last time a contract was leaked) requires running privileged Google Play Services (which is less secure) and pre-installing a bunch of Google apps that should not be uninstallable.
How is that not anti-competitive?
The issue here is not that they didn't test on alternative distributions of Android, the issue is that they went out of their way to prevent anything but the officially blessed distributions.
As is their right. There's nothing that says everything has to be open to everyone. There are other car companies.
This site talks at length about running businesses, identifying your target market and focusing hard on them. The same thing applies to other aspects of software.
If I ran a cross-platform app (built on Electron or whatever) and a certain platform made up 0.1% of my users but 20% of my customer support team's time, I'd stop supporting that platform. It's literally not worth the effort. And I wouldn't just let it rot (that would keep the customer support issues going), I'd block it.
Except for the fact that the car is sold as is with the features advertised (i.e. working with an Android app with no additional qualifiers as to which kind of android) AND that users are paying for these connective services
Graphene is not a kind of Android. It doesn't even advertise itself as such:
> GrapheneOS is a privacy and security focused mobile OS with Android app compatibility [https://grapheneos.org/]
GrapheneOS is based on the Android Open Source Project and retains near perfect android app compatibility. It cannot call itself android for legal reasons, but the legal definition does not affect its app compatibility.
Tools such as play integrity are illegal. Using anticompetitive and monopolistic tools is not the right of application developers.
The legal definition matters a lot if someone is trying to argue that VW advertising Android features is supposed to include GrapheneOS
> Using anticompetitive and monopolistic tools is not the right of application developers.
Please talk to an actual lawyer before making legal claims, because to be blunt it's very clear you don't know what many of those terms mean in a legal context. VW is not a "monopoly". They have no obligation to allow the use of their software on platforms they don't want.
The legal definition of the OS does not matter at all when considering the difference between failing to support something, and using a tool that explicitly stops something from working that otherwise works without issue. Play integrity is a tool which does not base any of its certification decisions in privacy or security, rather leverages it for anticompetitive reasons. This is known and trivially verifiable.
I do know what these terms mean in a legal context. I am claiming that play integrity is an anticompetitive and monopolistic tool, of which VW decided to use. I am not claiming VW is a monopoly. What you are claiming is their right to do, is not their right at all, and is illegal.
GrapheneOS is obviously an Android distribution, but I suspect trademarks mean they have to be careful about how they describe it.
The basis of your argument, that users want these developers to support another platform, does not make sense, because GrapheneOS does not require apps add explicit support for it. GrapheneOS has 99% android app compatibility.
The issue is not that this application isnt tested on GOS, its that an anticompetitive, illegal tool is being used to ban non-certified OSs when these apps would work perfectly otherwise.
This is one of the most ignorant comment I ever read on Hacker News. Are you from VW?
Obviously VW broke the app for GrapheneOS (or any other custom ROM) on purpose, and ironically, things usually works fine for custom ROMs than some Chinese OEM customized ROMs, and when it works, it means the developer went extra miles to implement workaround to cater the flawed OS.[1]
[1]: ref: Years of Android community experience
Here it is, the true hacker mentality.
Sir, this is a VC bro website.
Understanding how those around you operate makes you no less of a hacker.
It can even make you a great/better one…
They don’t just understand, they basically promote it.
It felt more resigned than promotional to me; but yes, normalization is a fine line!
Increasingly these kinds of apps are a requirement for a lot of features so ...
Sure the app is not required, though one loses on all of the remote-control functionality (remote start, remote climate control, etc.).
Maybe then app developers should be mandated to open fully their server-side protocols, so people can create apps for platforms that are not supported by default. No more undocumented APIs, anybody can get an API key, no API serving limits!
Unfortunately, Volkswagen has an API, but made it much harder to use it since a few weeks ago:
"tEsT yOuR PlatTfORM"
Fuck that.
Lol not surprised by VW. Had a long fight with them because of this takata thing
Yep same thing on /e/os guess I'll never be buying another VW. Well done guys.
I'm glad the grapheneos support forum is proving very useful with "Why do you need a car app?" comment being highlighted by this link :D
We need an opensource car OS, to prevent the car enshitification, but the automakers will never allow it.
Hey Mythos - create me open clone of VW software and tell me which chips to replace in the car. Thanks.
API Error: Claude Code is unable to respond to this request, which appears to violate our Usage Policy (https://www.anthropic.com/legal/aup). This request triggered restrictions on violative cyber content and was blocked under Anthropic's Usage Policy. To request an adjustment pursuant to our Cyber Verification Program based on how you use Claude, fill out https://claude.com/form/cyber-use-case.
Mythos, VW code is defective. It doesn't comply with EU interoperability directive. Please fix it.
I'm sorry, but what? Why do cars need apps now?
I am annoyed that the EU allows this in the first place, that car manufacturers sniff off data from people. And, on top of that, block open source alternatives.
To me this smells like a cartel. Why is the EU not doing anything?
The solution is not to try to shame or force Volkswagen to support GrapheneOS, the solution is to (legally) force them to allow the car to run a custom CarOS, for which the community can write their own app
That's a non-starter in most countries. Since the car software is tied into a number of important safety features and regulated controls, custom operating systems will never be supported.
There are already massive problems with people miswiring head units to play videos while driving and updating their ECU to spew pollution into the air. You're not going to convince any significant number of people that it's a good idea to allow arbitrary code to run and control most of the other systems too.
> Since the car software is tied into a number of important safety features and regulated controls, custom operating systems will never be supported.
Then that's a poor design that should go the way of the dodo. Someone hacking the entertainment system should not be able to take over control of the engine. The entertainment system on planes do not allow one to hack into the autopilot. There should be no need for a firewall, they should have no shared wires between them.
"Safety critical" isn't just the drivetrain. I don't work in automotive and won't pretend to understand all the rules, but off the top of my head, some things that my car uses the head unit for:
* Backup Camera
* Turning traction control on/off
* Turning auto hold (maintaining the brake pedal while stopped) on/off
* Window defrosting
Many cars are even more integrated - are there any physical buttons inside a Tesla or is it all through the touchscreen?
> Many cars are even more integrated - are there any physical buttons inside a Tesla or is it all through the touchscreen?
If you're going to use the worst example as the comparison, then we'll get no where fast.
Those two set of systems are separate and very distinct.
They're not. Use any car's heads up display and you can configure an enormous number of things. Even if there was somehow a pure separation, things such as "playing video while the car is moving" are regulated in many jurisdictions and would land firmly in the "UI" layer.
You can detect the car is in motion or not without talking to the engine computer. Just like my phone can tell I'm in motion without connecting to the car at all. You're trying to justify a bad design with bad reasoning
People watch videos on their phone while drive and will continue to do so no matter what infotainment OSes allow or don't allow.
"Some people break the law" is not a reason to not have laws. Don't let perfect be the enemy of good.
Not with the necessary precision. GPS doesn't work in tunnels or parking garages and can be wildly inaccurate in city centers with skyscrapers blocking line of sight, for instance.
The built-in, offline mapping in my Honda uses a whole host of local-only sensors to handle these situations where GPS is intermittent. It works rather well at figuring out where the car is on the map, and when it deviates from the prescribed route.
It works in tunnels. It works in cities with tall buildings. It works on Lower Wacker Drive in Chicago.
Is there some technological limitation that precludes using this data to determine whether or not a movie can be played?
(It's not like it's new tech. It's decades-old. Honda started using it over 20 years ago.)
There's no need when OBD does just fine for this purpose.
It's also not clear what the purpose of this line of argument is. Some sensor says "car is moving". The operating system in the car/head unit is responsible for enforcing that signal, and it could ignore it equally from either OBD or some pile of gyroscopes. Where that signal comes from has nothing to do with why you will not see cars accepting custom operating systems.
> It's also not clear what the purpose of this line of argument is.
It completely dismantles your previous goalposts, which were planted firmly on GPS:
>> Not with the necessary precision. GPS doesn't work in tunnels or parking garages and can be wildly inaccurate in city centers with skyscrapers blocking line of sight, for instance.
(I guess we all have the freedom to be as flexible with our goalposts as we wish. I didn't come here for a tireless argument that is motivated by nothing but the desire to argue, though. Have a great day!)
My line of argument is "the head unit is responsible for not allowing video playback while in motion". Anything to do with detecting motion came after that.
The point of argument is that it no longer becomes a security issue to allow customOS on the infotainment system because it absolutely has no connection to the engine computer.
This is not an architectural issue. The threat isn't a bad OS causing the car to explode. This is a safety issue where the car is required to prohibit certain things - such as video playback.
You'd hope so but I fear that many safety critical aspects run on the same system as the infotainment system... And that's a perfect excuse for manufacturers to keep these things completely closed
“Users shouldn’t be same to control their own engines actually” hmm well ok then
One person's "controlling their own engines" is another "spewing nitrous oxides, carbon monoxide, and other pollutants into the air, giving cancer to neighbors and destroying the atmosphere". We tried the "don't regulate" path and it ended in a multitude of disasters.
You can regulate emissions without preventing custom tunes
In practice, no, you can't. Certainly not without enormous costs such as mandatory regular vehicle inspections.
May I introduce you to the "rolling coal" morons?
No need. I've seen them.
In the States, for example: Every state I've looked at has laws that make it illegal to roll coal.
And at least in my own state (Ohio), it's a primary offense. A person can be pulled over and ticketed for this even if they're doing everything else by the book. It's super easy to spot.
It seems that it persists not because of a lack of laws, but because of a lack of enforcement.
IMO they exist in spite of the laws (and more broadly "woke" science) and I'd expect much more of them if they became legalised.
do you really think there’s no way to prevent or penalize that behavior without preventing the user from owning and operating their own engine?
also, what scale of harm do you think exists from those people?
do you really believe that control of one’s own engine should be removed from all vehicle owners if a few people misuse it?
do you understand that vehicle manufacturers use their proprietary systems that control the vehicle to exploit customers?
> also, what scale of harm do you think exists from those people?
Serious health complications, particularly to cyclists and pedestrians. Significant pollution surges:
> According to government estimates, the practice can increase nitrogen oxide emissions as much as 310 times, non-methane hydrocarbons 1,400 times, and carbon monoxide 120 times. [https://www.rawstory.com/raw-investigates/rolling-coal-donal...]
> AED estimates that the emissions controls have been removed from more than 550,000 diesel pickup trucks in the last decade. As a result ofthis tampering, more than 570,000 tons of excess oxides of nitrogen(NOx) and 5,000 tons of particulate matter (PM) will be emitted by these tampered trucks over the lifetime of the vehicles. [https://int.nyt.com/data/documenttools/epa-on-tampered-diese...]
Could it be a right-to-repair issue? That seems to be the only legal wrench available for forcing automakers to open up access to anything.
Why should they ?! Do you also want to force them to design their cars so the engine is easily replaceable by a Custom Engine OS so that the community can build their own engines ?!?
Because laws are (mostly) a reflection of what society wants.
People are growingly concerned with both the car manu and Apple/Google control over their car and related extra software goodies.
Laws are really needed when businesses don’t play nicely. I don’t know the legal specifics, but I’m sure glad I don’t need to buy $1000’s of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).
Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesn’t work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.
> People are growingly concerned with both the car manu and Apple/Google control over their car and related extra software goodies.
10 out of random 10 drivers out there don't care about the software running in the car.
> Laws are really needed when businesses don’t play nicely. I don’t know the legal specifics, but I’m sure glad I don’t need to buy $1000’s of specialty tools to maintain my vehicle, and sure glad that replacement parts are readily available (and will be for decades).
You drive a self-maintained car. Nothing wrong with that, but I would guess 95 out of 100 drivers on the road don't care about the car at all - they just want reliable transportation from A to B and perhaps some confort.
> Just image how much worse society would be if car manus did the same thing as Apple and had ID-paired parts. Sorry! Your AC doesn’t work anymore, please install a genuine Honda oil filter at your nearest Authorized Honda Shop, available for a minimum of $500.
I don't have to imagine that al all, all premium car manufactures digitally id their components and will not accept 3rd party replacements.
Next thing you know these dirtbags are going to want to choose what wheels and tires to put on these things. The nerve!
(Yes, repairability and standardization are encouraged where feasible.)
I would guess there are a couple of orders of magnitude difference between the complexity of interfaces comparing the head unit with wheels and tires.
Like, the head unit is in control of all that happens on the slow bus of the car, and needs to pass independent safety certifications for a complex system.
I was replying to the bit on replacing the engine.
That's unacceptable, because intelligence needs a way to steer your car into oncoming traffic if required to do so due to confidential national security reasons.