For the past 15 years¹, F-Droid has provided a safe and secure haven for Android users around the world to find and install free and open source apps. When contrasted with the commercial app stores — of which the Google Play store is the most prominent — the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns.

F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors. The way F-Droid works is simple: when a developer creates an app and hosts the source code publicly somewhere, the F-Droid team reviews it, inspecting it to ensure that it is completely open source and contains no undocumented anti-features such as advertisements or trackers[^antifeatures]. Once it passes inspection, the F-Droid build service compiles and packages the app to make it ready for distribution. The package is then signed either with F-Droid’s cryptographic key, or, if the build is reproducible, enables distribution using the original developer’s private key. In this way, users can trust that any app distributed through F-Droid is the one that was built from the specified source code and has not been tampered with.

Do you want a weather app that doesn’t transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn’t siphon your intimate details into an advertisement network? F-Droid has your back. Just as sunlight is the best disinfectant against corruption, open source is the best defense against software acting against the interests of the user.

Google’s move to break free app distribution

The future of this elegant and proven system was put in jeopardy last month, when Google unilaterally decreed that Android developers everywhere in the world are going to be required to register centrally with Google. In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents, including government ID, by the authors of the software, as well as enumerating all the unique “application identifiers” for every app that is to be distributed by the registered developer.

The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users[^howmanyusers] will be left adrift, with no means to install — or even update their existing installed — applications.

The Security Canard

While directly installing — or “sideloading”[^sideloading] — software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution. Google Play itself has repeatedly hosted malware, proving that corporate gatekeeping doesn’t guarantee user protection. By contrast, F-Droid offers a trustworthy and transparent alternative approach to security: every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose. Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.

Furthermore, Google’s framing that they need to mandate developer registration in order to defend against malware is disingenuous because they already have a remediation mechanism for malware they identify on a device: the Play Protect service[^playprotect] that is enabled on all Android Certified devices already scans and disables apps that have been identified as malware, regardless of their provenience. Any perceived risks associated with direct app installation can be mitigated through user education, open-source transparency, and existing security measures without imposing exclusionary registration requirements.

We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem.

The Right to Run

If you own a computer, you should have the right to run whatever programs you want on it. This is just as true with the apps on your Android/iPhone mobile device as it is with the applications on your Linux/Mac/Windows desktop or server. Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works. It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.

By tying application identifiers to personal ID checks and fees, Google is building a choke point that restricts competition and limits user freedom. It must find a solution which preserves user rights, freedom of choice, and a healthy, competitive ecosystem.

What do we propose?

Regulatory and competition authorities should look carefully at Google’s proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control. We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.

If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament, Congressperson or other representative, sign petitions in defense of sideloading, and contact the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters. By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping.

https://f-droid.org/2025/09/04/twif.html [^antifeatures]: F-Droid Anti-Features overview: https://f-droid.org/docs/Anti-Features/ [^howmanyusers]: How many F-Droid users are there, exactly? We don’t know, because we don’t track users or have any registration. “No user accounts, by design”: https://f-droid.org/2022/02/28/no-user-accounts-by-design.html [^sideloading]: ‘“Sideload” is a weird euphemism that the mobile duopoly came up with; it means “installing software without our permission,” which we used to just call “installing software” (because you don’t need a manufacturer’s permission to install software on your computer).’ — Pluralistic: Darth Android: https://pluralistic.net/2025/09/01/fulu/ [^playprotect]: “Google Play Protect checks your apps and devices for harmful behavior”: https://support.google.com/googleplay/answer/2812853

The Digital Markets Act (DMA) is “the EU’s law to make the markets in the digital sector fairer and more contestable”.

F-Droid strongly aligns with many of the ideals of the DMA regarding ensuring user choice and privacy. For example:

• The DMA has provisions for ensuring third-party software applications or software application stores can be used: F-Droid has long been the premier way for privacy or free software focused users to install applications outside of the Google Play Store
• The DMA places limitations on how gatekeepers process personal data: F-Droid doesn’t even have accounts. We don’t track users at all. There is no personal data for us to process.

Recently, Google introduced a new developer verification policy which is at odds with the DMA. It demands that apps can only be installed on its operating system if the app developers have verified themselves with Google, even if the app is not installed via the Play Store. This may sound like it only impacts app developers, but it very much impacts end users choice and freedom, in a detrimental way that is not in the spirit of the DMA.

Google may argue that the policy they have put in place is strictly necessary and proportionate, to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by Google (Article 6.4).

This is demonstrably false.

Trust is not earned by verifying a developers legal identity. There is no way to verify whether an app published to the Play Store is harmful or not, regardless of whether their identity has been verified with Google.

Trust is earned by transparency. F-Droid users are able to verify with certainty the source code which was used to build an app they are about to install.

The way in which F-Droid builds free software from source and then distributes it to end users without needing to involve Google, is akin to how most Linux distributions have been distributing software for decades. These distributions mechanisms have stood the test of time, are regarded as extremely secure and trustworthy, and are used by most of the modern computing infrastructure across the globe.

Nobody has suggested that Linux distributions need to be made safer for end users by having a central authority verify each app developer. It should be no different for mobile operating systems.

The F-Droid app was created in 2009 in the early days of Android and lots of its code is still that old. While the ecosystem has seen many drastic shifts, the F-Droid community heroically kept the app alive with band aids and chewing gum.

However, this task becomes increasingly difficult. In a project’s life, there comes a time when the accumulated technical debt can’t be managed anymore and the only way forward is to rewrite the project from scratch. This effort is under way for a while already. We’ve been rewriting the basic parts of the app and put them into reusable libraries. However, most of the upper layers of the code still need rewriting as well.

Unfortunately, we have reached a point where this can’t be done bit by bit anymore, because of historic entanglement of the remaining pieces. The rest requires one big swoop which is too big for a single volunteer contribution and typically not the kind of work that is attractive for external funders.

Therefore, we are especially thrilled to announce that the Mobifree programme of the Next Generation Internet initiative agreed to fund this monumental effort. With their support, we aim to modernize the F-Droid app with a focus on the user interface to make the app easier to use and more appealing especially for new users. At the same time, the modernization should make it easier and more attractive to contribute to the app while also making it easier for the maintainers to review and merge external contributions due to better test coverage and less code entanglement.

The rewrite will be exclusively in Kotlin and use Compose for the UI while using modern architectural patterns that will make the app easier to maintain and more fun to contribute to. It will also allow for a responsive UI that adapts to the available screen size, be it a phone, a foldable, a tablet or even a desktop screen.

Hovertext: I'm just realizing I always give my jerk characters red hair. It's nice to see one's self-hatred manifested so to plainly.

Somehow, this woman seems to be spinning both clockwise and counter-clockwise simultaneously. This is worse than the spinning ballerina. Anyone know who did this? Randomly found it on Facebook and couldn't trace the source back...