Made a bit of progress on the bypass sms verification code when signing up for a new Google account. The whole system is breathtaking from a technical, legal as well as a psychological persepective.
At least on Android, the user is deliberately steered into a “sunk cost falacy” type of situation that suggests that s/he just wasted a couple hundred bucks on a toy that won’t work properly unless connected with a Google Account. Of course, the phone screen is too small to read the terms compfortably and the default is to skip reading your contract anyway. If you want to know what you actually agree to, you pretty much have to look at the wire protocol (it is a lot). How on earth is it that we don’t have laws against this?!