As we wrote about back in September in F-Droid and Google’s Developer Registration Decree, Google plans to enforce mandatory developer registration as a requirement for building and distributing Android applications worldwide. Android, currently an open platform where anyone can develop and distribute applications freely, is to become a locked-down platform, requiring that developers everywhere register centrally with Google in order to be able to distribute their software. This applies regardless of whether your software is distributed commercially on a competitive app store like the Samsung Galaxy Store, or through a non-commercial community app repository like F-Droid, or even by offering your app as a direct download from a web page. In all these cases, installing or launching any application on an Android Certified device (which constitutes over 95% of all Android-compatible devices outside of China) will phone home to Google to verify that the developer and the application has been approved.

After an initial public outcry, Google rushed to assure developers that “sideloading is not going away”. This, as we pointed out in What We Talk About When We Talk About Sideloading, is simply untrue. Sideloading, their pejorative term for the direct and unintermediated installation of software of your choosing on the device that you own, is indeed going away if they follow through on their threat. Furthermore, future app store competitors, be they commercial or non-profit, will forever be disadvantaged by their developers being required to sign up with Google, bound to their (voluminous, non-negotiable, and ever-changing) terms and conditions, pay a fee, upload government-issued identification, and register each and every one of their applications with Google.

But didn’t Google back down on Developer Verification?

There was a brief sigh of relief in November when Google offered vague assurances in a blog post that they were going to design some “advanced flow” that might permit “experienced users to accept the risks of installing software that isn’t verified”. Some commenters went so far as to claim victory and assert that Google had backed down from the program altogether. Such triumphalism was premature and uninformed. We have since learned that no such “advanced flow” will be made available prior to the September lock-down. They purported to be “gathering early feedback on the design of this feature”, but this is also untrue: no such feedback has been sought from anyone outside of Google.

Google’s official and unambiguous stance remains, according to their developer landing page, that:

Starting in September 2026, Android will require all apps to be registered by verified developers in order to be installed on certified Android devices.

Google has refused repeated requests for concrete information about what form their so-called “advanced flow” will take, but it is reasonable to predict that if and when it is ever made available at some future point after the lock-down takes effect, it will be maximally obscure and high-friction. Such uncertainty makes it impossible to assess the viability of any “advanced flow” as a work-around for preserving software freedom, and so we must disregard it until it has been demonstrated and vetted by the community.

Silence is consent; Resistance is not futile

According to their official timeline, Google intends to open their developer registration console in March. This is the first phase of lock-down, where developers are to be offered the dubious privilege of paying Google so they can surrender their government identification, register all their applications, and become forever locked into Google’s terms and conditions for app distribution.

We unequivocally advise against signing up for this program, now or ever.

But mere inaction is insufficient to offer meaningful resistance to the program. Individual developers must also become advocates for software freedom: through their own projects, through blog posts, through social media, and by contacting their regional regulators. It is only through developer complicity that Google’s lock-down of Android can succeed.

F-Droid stands in solidarity as a signatory to the open letter published today at keepandroidopen.org/open-letter. We join with such champions of free software and free speech as the Electronic Frontier Foundation, the Free Software Foundation Europe, the Software Freedom Conservancy, and dozens of other organizations around the world in repudiating Google’s overreach.

We implore Google to listen to the overwhelming opposition to this program and change course. The Android Developer Verification program is a grievous breach of trust with the free and open-source community that helped propel Android to the dominant position it holds today in the mobile computing world. There is still time to regain trust as a faithful steward of Android, and to work together with the community to seek sound and measured approaches to improving the security of the platform for users everywhere. But that time, as can be watched on the countdown at keepandroidopen.org, is quickly running out.

For the past 15 years¹, F-Droid has provided a safe and secure haven for Android users around the world to find and install free and open source apps. When contrasted with the commercial app stores — of which the Google Play store is the most prominent — the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns.

F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors. The way F-Droid works is simple: when a developer creates an app and hosts the source code publicly somewhere, the F-Droid team reviews it, inspecting it to ensure that it is completely open source and contains no undocumented anti-features such as advertisements or trackers[^antifeatures]. Once it passes inspection, the F-Droid build service compiles and packages the app to make it ready for distribution. The package is then signed either with F-Droid’s cryptographic key, or, if the build is reproducible, enables distribution using the original developer’s private key. In this way, users can trust that any app distributed through F-Droid is the one that was built from the specified source code and has not been tampered with.

Do you want a weather app that doesn’t transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn’t siphon your intimate details into an advertisement network? F-Droid has your back. Just as sunlight is the best disinfectant against corruption, open source is the best defense against software acting against the interests of the user.

Google’s move to break free app distribution

The future of this elegant and proven system was put in jeopardy last month, when Google unilaterally decreed that Android developers everywhere in the world are going to be required to register centrally with Google. In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents, including government ID, by the authors of the software, as well as enumerating all the unique “application identifiers” for every app that is to be distributed by the registered developer.

The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users[^howmanyusers] will be left adrift, with no means to install — or even update their existing installed — applications.

The Security Canard

While directly installing — or “sideloading”[^sideloading] — software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution. Google Play itself has repeatedly hosted malware, proving that corporate gatekeeping doesn’t guarantee user protection. By contrast, F-Droid offers a trustworthy and transparent alternative approach to security: every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose. Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.

Furthermore, Google’s framing that they need to mandate developer registration in order to defend against malware is disingenuous because they already have a remediation mechanism for malware they identify on a device: the Play Protect service[^playprotect] that is enabled on all Android Certified devices already scans and disables apps that have been identified as malware, regardless of their provenience. Any perceived risks associated with direct app installation can be mitigated through user education, open-source transparency, and existing security measures without imposing exclusionary registration requirements.

We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem.

The Right to Run

If you own a computer, you should have the right to run whatever programs you want on it. This is just as true with the apps on your Android/iPhone mobile device as it is with the applications on your Linux/Mac/Windows desktop or server. Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works. It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.

By tying application identifiers to personal ID checks and fees, Google is building a choke point that restricts competition and limits user freedom. It must find a solution which preserves user rights, freedom of choice, and a healthy, competitive ecosystem.

What do we propose?

Regulatory and competition authorities should look carefully at Google’s proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control. We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.

If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament, Congressperson or other representative, sign petitions in defense of sideloading, and contact the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters. By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping.

https://f-droid.org/2025/09/04/twif.html [^antifeatures]: F-Droid Anti-Features overview: https://f-droid.org/docs/Anti-Features/ [^howmanyusers]: How many F-Droid users are there, exactly? We don’t know, because we don’t track users or have any registration. “No user accounts, by design”: https://f-droid.org/2022/02/28/no-user-accounts-by-design.html [^sideloading]: ‘“Sideload” is a weird euphemism that the mobile duopoly came up with; it means “installing software without our permission,” which we used to just call “installing software” (because you don’t need a manufacturer’s permission to install software on your computer).’ — Pluralistic: Darth Android: https://pluralistic.net/2025/09/01/fulu/ [^playprotect]: “Google Play Protect checks your apps and devices for harmful behavior”: https://support.google.com/googleplay/answer/2812853

The Digital Markets Act (DMA) is “the EU’s law to make the markets in the digital sector fairer and more contestable”.

F-Droid strongly aligns with many of the ideals of the DMA regarding ensuring user choice and privacy. For example:

• The DMA has provisions for ensuring third-party software applications or software application stores can be used: F-Droid has long been the premier way for privacy or free software focused users to install applications outside of the Google Play Store
• The DMA places limitations on how gatekeepers process personal data: F-Droid doesn’t even have accounts. We don’t track users at all. There is no personal data for us to process.

Recently, Google introduced a new developer verification policy which is at odds with the DMA. It demands that apps can only be installed on its operating system if the app developers have verified themselves with Google, even if the app is not installed via the Play Store. This may sound like it only impacts app developers, but it very much impacts end users choice and freedom, in a detrimental way that is not in the spirit of the DMA.

Google may argue that the policy they have put in place is strictly necessary and proportionate, to ensure that third-party software applications or software application stores do not endanger the integrity of the hardware or operating system provided by Google (Article 6.4).

This is demonstrably false.

Trust is not earned by verifying a developers legal identity. There is no way to verify whether an app published to the Play Store is harmful or not, regardless of whether their identity has been verified with Google.

Trust is earned by transparency. F-Droid users are able to verify with certainty the source code which was used to build an app they are about to install.

The way in which F-Droid builds free software from source and then distributes it to end users without needing to involve Google, is akin to how most Linux distributions have been distributing software for decades. These distributions mechanisms have stood the test of time, are regarded as extremely secure and trustworthy, and are used by most of the modern computing infrastructure across the globe.

Nobody has suggested that Linux distributions need to be made safer for end users by having a central authority verify each app developer. It should be no different for mobile operating systems.

The F-Droid app was created in 2009 in the early days of Android and lots of its code is still that old. While the ecosystem has seen many drastic shifts, the F-Droid community heroically kept the app alive with band aids and chewing gum.

However, this task becomes increasingly difficult. In a project’s life, there comes a time when the accumulated technical debt can’t be managed anymore and the only way forward is to rewrite the project from scratch. This effort is under way for a while already. We’ve been rewriting the basic parts of the app and put them into reusable libraries. However, most of the upper layers of the code still need rewriting as well.

Unfortunately, we have reached a point where this can’t be done bit by bit anymore, because of historic entanglement of the remaining pieces. The rest requires one big swoop which is too big for a single volunteer contribution and typically not the kind of work that is attractive for external funders.

Therefore, we are especially thrilled to announce that the Mobifree programme of the Next Generation Internet initiative agreed to fund this monumental effort. With their support, we aim to modernize the F-Droid app with a focus on the user interface to make the app easier to use and more appealing especially for new users. At the same time, the modernization should make it easier and more attractive to contribute to the app while also making it easier for the maintainers to review and merge external contributions due to better test coverage and less code entanglement.

The rewrite will be exclusively in Kotlin and use Compose for the UI while using modern architectural patterns that will make the app easier to maintain and more fun to contribute to. It will also allow for a responsive UI that adapts to the available screen size, be it a phone, a foldable, a tablet or even a desktop screen.

Hovertext: I'm just realizing I always give my jerk characters red hair. It's nice to see one's self-hatred manifested so to plainly.