Blog

Android Developer Verification

Apr 1, 2026 - 10 min read - 1943 words

Just in time for April Fools Day, Google this week launched their Developer Verification Console, where they offer developers around the world the dubious opportunity to pay them a fee, upload their government identification, and agree to their ever-changing and non-negotiable terms and conditions in order to be granted the privilege of creating apps for Android.

We first raised the alarm about this program in September (“F-Droid and Google’s Developer Registration Decree” ↗).

As a reminder, this is not only for

unilateral lockdown

A software update has been non-consensually pushed to your device

The Terms and Conditions

By the way, “Google may make changes to the Terms at any time” (6.3), and if you do not agree with any of their future changes, “You may terminate Your use of the ADC, which will be Your sole and exclusive remedy” (6.4). And if you have any objections, you “agree to submit to the exclusive jurisdiction of the federal or state courts located within the county of Santa Clara, California” (7.6).

What we Talk about when we Talk about Malware”

The aforementioned Ts&Cs have the following menacing provision:

6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC.

Conspicuously absent from the rest of the document is any definition of the term “malware”.

One specific prohibition that the document does mention is that it is forbidden to:

to access any other Google product or service in a manner that violates the terms of service of such other Google product or service.

No one denies that scams and malware exists.

The “Advanced Flow”

Continues to state unequivocally that:

https://developer.android.com/developer-verification ↗ “Starting in September 2026, apps in select regions must be registered by a verified developer to be installed on certified Android devices.”

https://developer.android.com/static/developer-verification/guides/pdf-guides/adc-guide.pdf ↗ “Starting in September 2026, Android apps must be registered to a developer with a verified identity in order to be installed by users on certified Android devices.”

Posted on Sep 29, 2025 https://f-droid.org/en/2025/09/29/google-developer-registration-decree.html ↗

Posted on Oct 28, 2025 https://f-droid.org/en/2025/10/28/sideloading.html ↗

Posted on Feb 24, 2026 https://f-droid.org/en/2026/02/24/open-letter-opposing-developer-verification.html ↗

Removed from last blog post:

On Malware and Digital Sovereignty

Google purports their their lock-down is necessary to prevent the spread of malware. What exactly is “malware”? There is no universally-accepted definition, but it generally means malicious or otherwise unwanted software. Yielding to Google as the sole arbiter of the “malware” designation grants them unilateral authority to define and redefine the term as they see fit.

To be sure, there are certain categories of applications that are unambiguously malicious, such as apps that pretend to be your bank in order to hijack credentials and steal your money. Yet other categories of apps that are widely regarded as predatory — such as addiction-conducive “gacha” gambling apps that lure vulnerable users into wasting their money and attention on gems and coins — are gleefully promoted on many commercial app stores, including Google’s own Play Store. Or apps that profit by clandestinely siphoning off your intimate personal information — location, contacts, photos, calendar, etc. — to data brokers who package it up and redistribute to the highest bidder, are disallowed by F-Droid but happily tolerated in the Play Store.

Further, how might Google’s own “malware” designation be expanded in the future? They have long since banned ad-blocking software ↗ from the Play Store, and have even classified some as malware ↗. How long before they designate all ad-blocking software as malware and block installation on all Android certified devices worldwide? Such a move would certainly be aligned with their commercial incentives as the global leader in ad-tech.

And finally, if Google is directed by the US government to block certain applications, they will have no choice but to comply. Whereas such actions have heretofore been limited to software distributed through the Google’s own Play Store, such as their recent removal of the Red Dot ↗ app, centralized developer registration would extend this control worldwide, which would transitively grant any US administration the extra-legal ability to block apps across the world for any reason whatsoever.

I confirm that I have read and agree to the Android Developer Console Terms of Service:

Android Developer Console Terms of Service https://developer.android.com/developer-verification/console/terms ↗

Effective as of November 11, 2025

Applicable Terms

1.1 Thanks for using the Android Developer Console (“ADC”). The ADC is a service provided to developers at http://get.google.com/adc-early-access ↗ by Google LLC, a Delaware limited liability company with principal place of business at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States; Google Ireland Limited, a company incorporated in Ireland with principal place of business at Gordon House, Barrow Street, Dublin 4, Ireland; Google Commerce Limited, a company incorporated in Ireland with principal place of business at Gordon House, Barrow Street, Dublin 4, Ireland; or Google Asia Pacific Pte. Limited, a company incorporated in Singapore with principal place of business at 70 Pasir Panjang Road, #03-71, Mapletree Business City, Singapore 117371. Google may update the Google entities and their addresses from time to time (collectively, herein, referred to as “Google”, “we” or “us”). Your use, as an individual, of the ADC is subject to these Android Developer Console Terms of Service (the “Terms”).

1.2 These Terms form a legally binding contract between You and Google in relation to Your use of the ADC.

1.3 You must accept these terms in order to use the ADC.

1.4 The ADC includes web and mobile web versions of the ADC that Google may make available to You.

1.5 The purpose of the ADC is to enable developers to register, verify their identity, and identify the package(s) that You plan to distribute on devices running the Android operating system with Google Mobile Services (“GMS Android devices”). Failure to complete Your verification and registration may result in Your applications being blocked from installation.

Account Types

2.1. Limited Distribution Accounts. Google recognizes that the needs of individual developers using the ADC for non-commercial purposes, such as students or hobbyists, may differ from those of commercial organizations. As such, Google may offer a separate type of ADC account for these developers. If You register for a limited distribution account, You acknowledge and agree that Your use of the ADC may be subject to different or additional terms, including but not limited to, different verification requirements, functionality, and/or distribution limitations. Any such terms will be presented to You during the registration process for that specific account type and will govern Your use of that account.

Definitions

Account Owner: The user who initially created the ADC account.

Console User: Additional users of the Android Developer Console.

You: Any individual user of the Android Developer Console, either as an Account Owner or as a Console User.

Privacy and Information

4.1. Any data collected or used pursuant to Your use of the ADC is in accordance with Google’s Privacy Policy. Additionally, there are some special cases explained below applicable to data that Google collects in connection with the ADC.

Restrictions on Use

You may not use the ADC:

beyond the intended ADC functionality outlined in the Terms and other ADC documentation; to engage in, promote or encourage illegal activity or abusive behavior; to disable, interfere with, reverse engineer, or circumvent any aspect of the ADC; or to access any other Google product or service in a manner that violates the terms of service of such other Google product or service. 6. Modification and Termination of Services

6.1 Google may change, discontinue, or limit access to any ADC feature or functionality, if You are found to have distributed malware without liability to You or the Account Owner.

6.2 If Google discontinues the ADC, where reasonably possible, Google will give You reasonable advance notice. Google may, at its discretion, discontinue the ADC.

6.3 Google may make changes to the Terms at any time with notice and the opportunity to decline further use of the ADC. Google will post notice of modifications to the Terms on the ADC and by emailing Your contact email. Changes will not be retroactive. They will become effective, and will be deemed accepted by You, (a) immediately for those who become Account Owners or ADC Users after the notification is posted; or (b) for pre-existing Account Owner and ADC Users, on the date specific in the notice, which will be no sooner than thirty (30) days after the changes are posted (except changes addressing new functions of the ADC Console or changes required by law will be effective immediately).

6.4 If You do not agree with the modifications to the Terms, You may terminate Your use of the ADC, which will be Your sole and exclusive remedy. You agree that Your continued use of the ADC constitutes Your agreement to the modifications of the Terms.

6.5 If You violate any of the Terms or if You distribute malware or other harmful applications, Google may terminate Your access to the ADC.

General Legal Terms

7.1 The English language version of the Terms will control. Any translations, if any, are non-binding and provided for reference only.

7.2 You agree that if Google does not exercise or enforce any legal right or remedy contained in the Terms (or which Google has the benefit of under any applicable law), this will not be taken to be a formal waiver of Google’s rights and that those rights or remedies will still be available to Google.

7.3 If any court of law having the jurisdiction to decide on this matter rules that any provision of the Terms is invalid, then that provision will be removed from the Terms without affecting the rest of the Terms. The remaining provisions of the Terms will continue to be valid and enforceable.

7.4 You acknowledge and agree that each member of the group of companies comprising Google will be a third -party beneficiary to the Terms and that such other companies will be entitled to directly enforce, and rely upon, any provision of the Terms that confers a benefit on (or rights in favor of) them. Other than this, no other person or company will be a third -party beneficiary to the Terms.

7.5 Except in the case of a change of control (for example, through a stock purchase or sale, merger, or other form of corporate transaction), the rights granted in the Terms may not be assigned or transferred by either You or Google without the prior approval of the other party. Any other attempt to assign is void.

7.6 All claims arising out of or relating to the Terms or Your relationship with Google under the Terms will be governed by the laws of the State of California, excluding California’s conflict of laws provisions. You and Google further agree to submit to the exclusive jurisdiction of the federal or state courts located within the county of Santa Clara, California to resolve any legal matter arising from or relating to the Terms or Your relationship with Google under the Terms, except that You agree that Google will be allowed to apply for injunctive relief in any jurisdiction. If You are accepting the Terms on behalf of a United States government entity or a United States city, county, or state government entity, then the following applies instead of the foregoing: the parties agree to remain silent regarding governing law and venue.

Fear and Loathing in the App Stores

Feb 6, 2026 - 16 min read - 3255 words

I presented a talk on the FOSDEM main track in Brussels last weekend titled “Fear and Loathing in the App Stores” (abstract ↗). It was amazing to see so much interest in the topic, and I had a lot of great conversations afterwards with folk who shared the alarm at the lack of choices, competition, and freedom.

Following is my draft of the talk. My speaker notes weren’t working, so the talk as presented was somewhat more extemporaneous that I had planned, but it mostly followed along the same points as the draft.

Introduction

Hello everyone. I’m here today to talk about mobile devices, app stores, and software freedom.

The majority of humans carry around a little computer in their pocket. These devices are pretty magical: they are packed with high-tech cameras and microphones and sensors and networking and communication hardware.

They also store nearly every personal detail about you: who you are, who your friends and family are, where you are, where you are going, and your favorite books and music and movies and web sites.

But do you own this computer? Truly own it? Can you do whatever you want with it? Is it actually yours, or do you merely possess it?

History

The purpose of a computer is to run software. All that fancy equipment is useless unless there is software that is driving it and telling it what to do.

How does software get on a computer? When I first started programming in 1982 on my TRS-80, I subscribed to a magazine called “The Rainbow”¹ that would publish pages of source code that I would tediously transcribe into the computer’s BASIC interpreter — mostly games and graphics demos and things like that. Later on, I got a cassette peripheral that would allow loading programs from magnetic tape. Then onto floppy disks, and so on.

Nowadays, software distribution through physical media is completely gone. It is almost inconceivable that software would be obtained through any means other than downloading it from the internet. The advent of the modern smartphone also coincided with the advent of “app stores” that collect and bundle catalogs of downloadable programs.

What is an app store? It is essentially just an app that can download and install other apps. It also has other useful features, like the ability to browse and search for applications, to read and post reviews, and to update to new versions of the app. But ultimately, an app store is just an app that installs apps.

So far I’ve just been telling you things you probably already know.

A Tale of Two Platforms: the Duopoly

The state of the world in 2026 is that nearly every one of these pocket computers runs one of two operating systems: Apple’s iOS, which powers their iPhone and iPad devices, or Google’s Android, which powers their own line of Pixel devices, as well as a myriad other devices from other manufactures that either license Android Certification or that build on top of the foundational Android Open-Source project (AOSP).

Android is installed on around 75% of all smartphones worldwide, with iOS taking up the remainder; this ratio varies greatly on a per-country basis, with the iPhone being more widely-used in richer countries due it is higher price. But regardless, these two companies form a global duopoly, controlling the operating systems that are installed on over 95% of all smartphones worldwide outside of China.

Apple

The first “app store” for this modern generation of smartphones was called Cydia, and was developed by Jay Freeman — also known as “saurik” — in 2008.² It was a thriving marketplace with thousands of apps and millions of users.

Apple then released iOS 2.0 that contained their own bundled App Store app and suddenly claimed the exclusive right of software distribution on their phones. As the same time, they banished Cydia by locking down the operating system to break the mechanism that Cydia had been using to install software. Cydia managed to limp along for a few more years by finding workarounds to get their software installed, but ultimately when your operating system vendor is determined to crush you, you will likely always lose.

From then on, and until very recently, the Apple App Store has been the one and only app store on iPhones and other iOS devices.

Google

As for the other half of the duopoly, Google’s Android has historically been more open. Android has long provided APIs for developers to build their own “app store”, and many have done exactly that over the years. These stores might be commercial, like the Amazon Appstore and Samsung Galaxy Store, or they might be non-commercial, like F-Droid.

But despite the ability to have additional app stores, it was never a level playing fields: the terms of Android Certification and its related contracts required that the Google Play store be the one and only app store that is pre-installed and prominently positioned on Android devices.

Apple + Google

Despite supposedly being competitors in the smartphone space, Apple and Google’s actual marketplace policies are startlingly similar. They both require developers to register with their respective portals, pay a fee, agree to lengthy, nonnegotiable, and ever-changing terms and conditions, and then submit themselves to an opaque and indeterminate “app review” process whenever they upload a new app or submit an update to an existing app.

Developers willing to undergo all of this get the benefit of reaching the billions of users served by these marketplaces, but at the cost of a 30% fee skimmed from the top of any and all digital transactions that take place through the app.

These enormous fees have resulted in some of the most profitable business divisions on the history of technology. Google’s play store department has around 70% profit margin, and Apple’s app store is almost 80%. These margins are extraordinary and unprecedented.

Why We Fight

So what’s the actual problem? Sure, we don’t have any real competition, and sure we have to live under the yoke of capricious and authoritarian tech overlords, but what actual harm is being done here?

In the free software community, we often think of free software as an end that is self-justifying. We love free software because of course we do. But why does the world need free software? Why does the world need open source?

Free software provides a very real and tangible defense against some of the harms that are actively being perpetrated against millions of smartphone users on a daily basis.

A Silent Hazard: Normalized Malware

The exorbitant digital taxes I mentioned have led to commercial app developers eschewing the practice of selling their apps directly, and instead resorting to shady tactics to extract monetization from users through other means. One common avenue for this is ad-tech: making money by displaying advertisements to users.

This by itself can be quite profitable, since unlike the web, it is all but impossible to block ads in native applications. And on top of this, the ad-tech that is utilized by these apps is invariably communicating with data brokers, surreptitiously and non-consensually building a profile on users based on every piece of information they can get their hands on.

And that can be a lot of data: depending on what permissions an app can plausibly request, an app might have access to your location, your contacts, your calendar, your photos, and much more. All this data can be siphoned off without your knowledge or consent, and goes towards assembling a profile of you for targeted advertisement, for tracking, and for surveillance, and retained indefinitely, for who knows what future purpose, years or decades down the road. All without your consent or knowledge.

This is malware in its purest form, but these apps are not only accepted, but oftentimes promoted, by the first-party app stores.

A Solution: Free Software

If we could see inside these apps, we could tell what they were doing any how they are doing it, then we would be able to identify which apps are respecting our rights and which are clandestinely stealing our intimate personal information.

But apps distributed to the app stores are not distributed with their source code, but rather are compiled down into opaque binary blobs whose code is obfuscated or encrypted. Laws like the Digital Millennium Copyright Act in the United States — and the various equivalents subsequently passed in most aligned countries — make it a felony to try to break open these apps to study and reveal their inner workings.

So, free software to the rescue, right? Once could just avoid these hazards by having a personal policy of only ever installing free and open-source software on their devices. It might be tedious to have to cross reference every app you want to install from the Goole Play Store or Apple App Store with some externally curated list of open-source apps, but would be possible, right?

Except, even in cases where you have winnowed a list of potential apps down to only contain ones that are free and open source, how do you actually validate this list? After all, you are just getting an obfuscated or encrypted blob from the app stores. Who is to say that the source code that the creator claimed corresponded to your app is actually complete, and hasn’t had certain malicious bits of it stripped out of it in order to pass scrutiny?

Enter F-Droid: Trust, but verify

For 15 years, there has been an app store for Android called F-Droid ↗. As I mentioned previously, there are many app stores on Android, but F-Droid is special: it not only has a policy of including only free and open-source applications, it also has the means to prove it.

When an app is submitted for including in the F-Droid catalog, it is built from the source code, either by the F-Droid servers themselves, or by verifying the reproducibility of a pre-built binary that the developer submits. Reproducibility means that anyone — not just F-Droid — is able to take the source code, build it themselves, and verify, byte-for-byte, that the compiled artifact matches the app that you are installing on your device. In this way, users can have real trust in the applications they choose to let into their lives.

A New Hope for iOS: the Digital Markets Act

F-Droid is great, but it only helps the Android half of the market. iPhone users were still stuck with the “trust-me-bro” security that they have become accustomed to in that App Store exclusive environment. At least, that was until the advent of the EU’s Digital Markets Act, which was proposed in 2020, passed in 2022, and went into enforcement in March of 2024.³

One of the requirements of the DMA was that the “digital gatekeepers” of “online intermediation services” — i.e., Apple and Google with their app stores — be required to open them up to competition and interoperability. For Apple, this meant that for the first time since the demise of Cydia, they would have to permit additional app stores onto their devices.

So the outlook was rosy. We could finally have complete control of the software we let into our lives, regardless of which ecosystem we find ourselves in?

The Empire Strikes Back: the gatekeepers’ counter-assault on software freedom

Unfortunately, Apple wound up implementing a twisted misinterpretation of the rules. Their claimed compliance was to establish a program they called “Alternative App Marketplaces”,⁴ but they were in no way independent. The marketplaces would need to apply to Apple to be vetted and approved, provide 1 million euros in the form of a letter of credit, and agree to onerous junk fees and persistent oversight.

For developers, they would continue to have to apply to the Apple developer program, pay an annual $100 developer fee, agree to the same nonnegotiable terms and conditions as if they were distributing on Apple’s App Store, and continue to submit their apps and updates though the Apple App Review process, even to get them distributed through the alternative app marketplace of their choosing. It is in no way, shape, or form complying with either the spirit or letter of the DMA, and they’ve gotten away with it without any regulatory repercussions.

Despite all these hurdles and barriers, some new marketplaces have managed to emerge. AltStore ↗ is one of them, and its catalog is growing to include new and novel applications that never would have seen the light of day on the Apple App Store.

However, it continues to be impossible to distribute trustworthy and reproducibly built open-source applications through the alternative app marketplace scheme, because when a developer submits their app to Apple and waits for the manual app review process — or “notarization” as they term it — the end result is that the approved app will be wrapped in an encrypted package and signed by Apple themselves, and only then is the bundle passed off to the Alternative App Marketplace for subsequent distribution through to the end user.

Neither the user, not the app marketplace itself, is ever permitted to see inside this encrypted bundle. Not only does this make it impossible for the user to trust and verify the contents of an app that claims to be free and open source, it also makes it impossible for the app marketplace itself to comply with one of Apple’s core requirements for alternative distribution, which is that the marketplace vouch that all apps they distribute are completely free of malware. But this is an impossible requirement, because they forbid the marketplace from examining the apps themselves.

Google: I have altered the deal (pray I don’t alter it further)

But at least we still have Android and alternatives like F-Droid, right?

Well, not to be out Darth-Vadered by Apple, Google last year announced out of the blue that it was no longer going to be possible to independently distribute applications without registering centrally with Google.⁵ Starting this year, they say that developers will be required to create an account with Google, verify their identity, pay a fee, agree to terms and conditions, and register each and every one of their applications centrally with Google. Failure to do so will result in Android Certified devices refusing to install the app at all.

This is an existential threat to software freedom in general, but also to F-Droid specifically.⁶ We cannot require that developers register with Google, and many will not. If this policy gets implemented, the world will be deprived of some of the most trustworthy and privacy-respecting applications every created.

So instead of inching forward, we are suddenly lurching backwards.

Consolidating Power

As the big tech duopoly increasingly tightens their stranglehold over mobile software, we need to be acutely aware of what is at stake with an app store monoculture. This centralization by unaccountable actors has real global consequences.

And this isn’t just about the prevalence bad software. This is also about what software isn’t available. It is about what is banned, blocked, or never approved in the first place.

Your right to protest (Hong Kong 2019), to hold free and fair elections (Russia 2021), and to protect yourself from police brutality (US 2025) is directly jeopardized by the centralized kill switches these companies hold, and their willingness to use it when extra-legal pressure is applied by powerful actors. This couldn’t happen in an open and competitive marketplace.

How We Fight: Make your voice heard

The prospects for any meaningful regulation happening on my own home country over the next few years are next to zero. As you have probably already guessed, I’m from the United States.

However, since I’m speaking to a predominantly European crowd, you have the fortune of still having strong regulatory bodies and policymakers that are receptive to the needs of their citizens. Reach out to them. Visit https://keepandroidopen.org ↗ to find out who you can contact and the best way to go about it.

And on an individual level, if you are a developer: create free software and distribute it first through the alternative stores: through F-Droid for Android and through AltStore for iOS. You can always distribute it additionally through the first-party app stores afterwards, but the best way to show your support for the alternatives is to make them no longer be “alternatives”, and it is only with your high-quality software they they can thrive and expand.

And even if you are not a developer, you should still be using these stores. Download and install F-Droid ↗ on your Android phone, or AltStore ↗ on your iPhone. They cost nothing, and the mere act of having these present on your device helps chip away at the self-perceived indomitability of the tech giants.

And who knows, before too long, they may become your primary — or only — source of applications.

Thank you for your time, and enjoy the resort of FOSDEM!

Footnotes

The Rainbow was a monthly magazine dedicated to the TRS-80 Color Computer, a home computer made by Tandy Corporation. Sources: Wikipedia — The Rainbow (Magazine) ↗, Archive.org — Rainbow Issue 111 ↗ ↩
Cydia was first released by Jay Freeman (saurik) on February 28, 2008, for iPhone OS 1.1.x, providing jailbroken iPhone users with an alternative app store before Apple’s official App Store launched later that year. Sources: Wikipedia - Cydia ↗, Wikipedia - Jay Freeman ↗, iDownloadBlog - Cydia Store Shutdown FAQ ↗ ↩
The Digital Markets Act (DMA) was proposed by the European Commission in December 2020, formally adopted by the European Parliament on July 5, 2022, signed into law on September 14, 2022, and came into force on November 1, 2022. The regulation started applying on May 2, 2023, with gatekeepers designated on September 6, 2023. Full compliance became mandatory on March 6-7, 2024. Sources: Wikipedia - Digital Markets Act ↗, European Commission - Digital Markets Act ↗, TechPolicy.Press - DMA Roundup March 2024 ↗ ↩
Apple announced changes to iOS, Safari, and the App Store in the European Union on January 25, 2024, to comply with the Digital Markets Act. The changes included introducing “Alternative App Marketplaces” (also called alternative app distribution), new payment options, and alternative browser engines. However, the implementation required marketplace developers to provide a €1 million letter of credit, submit to Apple’s notarization process, and pay various fees including the Core Technology Fee. The European Commission opened non-compliance investigations against Apple on March 25, 2024, and sent preliminary findings on June 24, 2024, that Apple’s business terms continued to impose anti-competitive provisions. Sources: Apple Newsroom - EU Changes Announcement ↗, Brookings - Overseeing App Stores Under the DMA ↗, TechPolicy.Press - Understanding Apple Non-Compliance ↗ ↩
Google announced in August 2025 that it would require all Android app developers to undergo identity verification and register with Google, regardless of whether they distribute through Google Play or alternative channels. The policy requires developers to provide legal name, address, email, phone number, and government-issued ID, plus pay the $25 registration fee. Early access began in October 2025, with full enforcement starting in September 2026 in Brazil, Indonesia, Singapore, and Thailand, followed by global rollout in 2027. Sources: Announcement - Android Developer Blog ↗, Keep Android Open ↗ ↩
F-Droid published a detailed response to Google’s developer registration decree on September 29, 2025, warning that the policy represents an existential threat to the project and to software freedom on Android. Source: F-Droid - Google’s Developer Registration Decree ↗, F-Droid - What We Talk About When We Talk About Sideloading ↗ ↩

App Fair Retrospective, 2025

Dec 31, 2025 - 5 min read - 991 words

As 2025 draws to a close, it’s a good moment to pause and reflect on a year that proved to be both challenging and energizing for the App Fair Project. Building on the momentum of last year’s retrospective, 2025 saw the project deepen its advocacy work, expand its public presence, and respond to some of the most consequential shifts in the app ecosystem in over a decade.

Free App Stores and FOSDEM 2025

At FOSDEM 2025 in February I presented “Free App Stores and the Digital Markets Act.” The talk focused on how the DMA reshapes the legal and technical landscape for app distribution in Europe, and what those changes mean for free software, alternative app stores, and user autonomy. You can watch the presentation and read the transcript at FOSDEM 2025: Free App Stores and the Digital Markets Act.

Earlier I had the pleasure of being interviewed for the FSFE’s Software Freedom Podcast by Bonnie Mehring¹, where we discussed the App Fair Project, the role of regulation in restoring balance to app ecosystems, and why distribution freedom matters for both developers and users. Listen to the complete Software Freedom Podcast interview.

A Year of Public Engagement

This year I joined the board of the F-Droid project ↗. The App Fair Project takes much of its inspiration from F-Droid, and we regard it as a sister project with much wisdom and experience to share from its 15 years of providing free and open-source software to the Android community.

In October, I joined a panel at the Free Software Foundation’s 40-year anniversary celebration², alongside representatives from the FSF, the Electronic Frontier Foundation, and Sugar Labs. It was inspiring to reflect on four decades of free software advocacy, and to situate today’s struggles over app stores and gatekeepers within that longer history. A write-up of the panel is available at FSF40-panel.

In November, I attended the Digital Markets Act enforcement symposium³, organized by the free-expression organization ARTICLE 19. I participated as a technical expert, helping to assess the issues and proposals raised by presenters at a time when regulators, advocates, and technologists are grappling with how DMA enforcement should work in practice.⁴ These conversations underscored that while the DMA is already having real effects, sustained technical and policy engagement is essential to ensure its goals are realized.

Google’s Developer Registration Decree

One of the defining moments of 2025 came in August, when Google shocked the Android world by unilaterally announcing⁵ that all developers would be required to register with Google in order to continue distributing their apps on Android Certified devices, even outside of Google Play.

This move fundamentally alters long-standing assumptions about sideloading and independent distribution on Android, and it prompted a series of posts in opposition, published through the F-Droid Blog. In September we posted “Free App Stores and Google’s Developer Registration Decree” and in October we published “What We Talk About When We Talk About Sideloading”, which resulted in an extraordinary amount of press coverage⁶ and increased awareness of the issue. I was interviewed by a variety or tech publications as well as the popular Techlore channel⁷.

In parallel, we launched keepandroidopen.org ↗ as a focused resource to document the implications of this policy shift, coordinate advocacy, and provide calls to action to resist the lockdown of Android.

Looking Ahead to 2026

As we turn toward 2026, there is no shortage of work ahead. I’ll be attending FOSDEM 2026 alongside members of the F-Droid team and board, and presenting on the main track: “Fear and Loathing in the App Stores: when FLOSS principles collide with the Gatekeeper interests.”⁸

The project will continue ongoing advocacy in support of strong DMA enforcement and continued opposition to Google’s Android Developer Registration Decree and similar efforts that undermine independent app distribution. We will also continue to forcefully oppose Apple’s “notarization” requirement for its third-party app marketplaces in the EU and Japan (as well as Brazil in the near future).

A founding principle of the App Fair Project is that you have the right to install whatever software you want on your computer, regardless of whether it is on your desk or in your pocket. Apple’s “notarization” and Google’s “developer registration” are two sides of the same coin: a ploy by the mobile duopoly to strengthen their gatekeeping and control what you are allowed to do with the devices that you own.

We’re also preparing the full opening of the App Fair submission process and launch of the appfair.net index, cataloging apps distributed through the App Fair Project and making them easier for users to discover. The technical pieces are mostly in place and we’ve been publishing a handful of sample apps throughout the year in an effort to make the pipeline stable and robust.

Closing Thoughts

2025 reaffirmed that the fight for fair, open, and user-respecting app ecosystems is far from over, but it also showed that sustained advocacy, technical clarity, and community collaboration can make a real difference. I’m deeply grateful to everyone who supported the App Fair Project this year.

Here’s to carrying that momentum forward into 2026!

Software Freedom Podcast #30: The App Fair Project with Marc Prud’hommeaux: https://fsfe.org/news/podcast/2025/episode-30.en.html ↗ ↩
Free Software Foundation 40th Anniversary Celebration: https://www.fsf.org/events/fsf40-celebration ↗ ↩
ARTICLE 19 DMA Report (PDF): https://www.article19.org/wp-content/uploads/2025/11/DMA-DIGITAL-FINAL-2025.pdf ↗ ↩
Tech Policy Press: “What Europe’s Digital Markets Act Has Delivered So Far and What Comes Next”: https://www.techpolicy.press/what-europes-digital-markets-act-has-delivered-so-far-and-what-comes-next/ ↗ ↩
Android Developers Blog: “A new layer of security for certified Android devices,” 25 August 2025: https://android-developers.googleblog.com/2025/08/elevating-android-security.html ↗ ↩
Press reactions: https://keepandroidopen.org/#press-reactions ↗ ↩
The Fight for Android’s Open Ecosystem: https://www.youtube.com/watch?v=ZnYSwX45ODA ↗ ↩
FOSDEM 2026 Schedule: https://fosdem.org/2026/schedule/event/TYZH97-fear-loathing-app-stores/ ↗ ↩

What We Talk About When We Talk About Sideloading

Oct 28, 2025 - 6 min read - 1197 words

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/10/28/sideloading.html ↗. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies.

In this post, I hope to clarify and expand on some of the points and rebut some of the counter-messaging that we have witnessed.

Google’s message that “Sideloading is Not Going Away” is clear, concise, and false

Shortly after our post was published, Google aired an episode ↗ of their Android Developers Roundtable series, where they state unequivocally that “sideloading isn’t going anywhere”. They follow-up with a blog post ↗:

Does this mean sideloading is going away on Android? Absolutely not. Sideloading is fundamental to Android and it is not going away.

This statement is untrue. The developer verification decree effectively ends the ability for individuals to choose what software they run on the devices they own.

It bears reminding that “sideload” is a made-up term. Putting software on your computer is simply called “installing”, regardless of whether that computer is in your pocket or on your desk. This could perhaps be further precised as “direct installing”, in case you need to make a distinction between obtaining software the old-fashioned way versus going through a rent-seeking intermediary marketplace like the Google Play Store or the Apple App Store.

Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that “sideloading” is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia’s summary definition ↗ is:

the transfer of apps from web sources that are not vendor-approved

By this definition, Google’s statement that “sideloading is not going away” is simply false. The vendor — Google, in the case of Android certified devices — will, in point of fact, be approving the source. The supplicant app developer must register with Google, pay a fee, provide government identification, agree to non-negotiable (and ever-changing) terms and conditions, enumerate all their current and future application identifiers, upload evidence of their private signing key, and then hope and wait for Google’s approval.

What this means for your rights

You, the consumer, purchased your Android device believing in Google’s promise that it was an open computing platform and that you could run whatever software you choose on it. Instead, starting next year, they will be non-consensually pushing an update to your operating system that irrevocably blocks this right and leaves you at the mercy of their judgement over what software you are permitted to trust.

You, the creator, can no longer develop an app and share it directly with your friends, family, and community without first seeking Google’s approval. The promise of Android — and a marketing advantage it has used to distinguish itself against the iPhone — has always been that it is “open”. But Google clearly feels that they have enough of a lock on the Android ecosystem, along with sufficient regulatory capture, that they can now jettison this principle with prejudice and impunity.

You, the state, are ceding the rights of your citizens and your own digital sovereignty to a company with a track record of complying with the extrajudicial demands of authoritarian regimes to remove perfectly legal apps that they happen to dislike. The software that is critical to the running of your businesses and governments will be at the mercy of the opaque whims of a distant and unaccountable corporation. Monocultures are perilous not just in agriculture, but in software distribution as well.

As a reminder, this applies not just to devices that exclusively use the Google Play Store: this is for every Android Certified device everywhere in the world, which encompasses over 95% of all Android devices outside of China. Regardless of whether the device owner prefers to use a competing app store like the Samsung Galaxy Store or the Epic Games Store, or a free and open-source app repository like F-Droid, they will be captive to the overarching policies unilaterally dictated by a competing corporate entity.

The place of greater safety

In promoting their developer registration program, Google purports ↗:

Our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.

We haven’t seen this recent analysis — or any other supporting evidence — but the “50 times” multiple does certainly sound like great cause for distress (even if it is a surprisingly round number). But given the recent news ↗ of “224 malicious apps removed from the Google Play Store after ad fraud campaign discovered”, we are left to wonder whether their energies might better be spent assessing and improving their own safeguards rather than casting vague disparagements against the software development communities that thrive outside their walled garden.

In addition, other recent news ↗ of over 19 million downloads of malware from the Play Store leads us to question whether the sole judgement of a single corporate entity can be trusted to identify and assess malware, especially when that judgement is clouded by commercial incentives that may not align with the well-being of their users.

What can be done?

Google has been facing public outcry against their heavy-handed policies for a long time, but this trend has accelerated recently. Last year they crippled ad-blockers ↗ in Chrome and Chromium-based browsers by forcing through their unpopular “manifest v3” requirement for plugins, and earlier this year they closed off ↗ the development of the Android Open Source Project (AOSP), which is how they were able to clandestinely implement the verification infrastructure that enforces their developer registration decree.

Developer verification is an existential threat to free software distribution platforms like F-Droid as well as emergent commercial competitors to the Play Store. We are witnessing a groundswell of opposition to this attempt from both our user and developer communities, as well as the tech press and civil society groups, but public policymakers still need to be educated about the threat.

To learn more about what you can do as a consumer, visit keepandroidopen.org ↗ for information on how to contact your representative agencies and advocate for keeping the Android ecosystem open for consumers and competition.

If you are an app developer, we recommend against signing yourself up for Google’s developer registration program at this time. We unequivocally reject their attempt to force this program upon the world.

Over half of all humankind uses an Android smartphone. Google does not own your phone. You own your phone. You have the right to decide who to trust, and where you can get your software from.

Panel opening statement for the FSF40 Celebration

Oct 6, 2025 - 4 min read - 582 words

I was honored to be invited as a panelist ↗ at the FSF 40-year celebration event in Boston this weekend. Along with Paige Collings, senior speech and privacy activist from the EFF, Devin Ulibarri, the executive director of Sugar Labs, and Greg Farough, the FSF’s campaigns manager, we spent an hour discussing issues around software freedom and privacy, and answered a variety of interesting questions from the audience.

Once they post video and transcription, I will reproduce it here, but until then I’ll convey my notes in response to the opening question:

How has the freedom of users of mobile phones changed since the beginning of the F-Droid, in 2010?

In 2010, there were about 25 million active Android devices around the world. In 2025, it has grown to over 3 billion. Given that Android is built on free software — insofar as it runs atop the GPL-licensed Linux kernel — this can be viewed as a phenomenal expansion of free software adoption. The fact that nearly half of humanity is walking around today with a free-software-powered smartphone in their pocket is a testament to the power of the ideas that started right here, 40 years ago, with the Free Software Foundation.

Also since 2010, the F-Droid Project has grown from a small personal hobby project with a handful of apps, into a repository of thousands of free and open-source applications. F-Droid and the App Fair are the app stores you can trust, because all the apps are reviewed to keep out closed and proprietary software dependencies and flag any marginal “anti-features”, so the user is always in control of the software they are running on their device. It is truly the free software Garden of Eden.

And with free software applications running on top of a free kernel, what’s not to love about the current state of the world? We live in a magical time, right?

So also since 2010, the mobile phone ecosystem has contracted from a slew of competing systems — Blackberry, Symbian, Palm OS, Firefox OS, Ubuntu Touch, etc. — down to just two: Android and iPhone, with Android currently holding around 70% global market share. And with the entrenchment of this global smartphone duopoly has arisen increasingly extractive behavior from the corporations that control their ecosystems.

This year, 2025, has been especially dark. In March, the “Android Open Source Project” closed off its development from the public, switching to delayed and periodic snapshot source releases. This has been very difficult for projects like GrapheneOS which are based on AOSP.

And last month, the other shoe dropped: Google announced that starting next year, they would be blocking all app installations on Android certified devices from any developer who has not registered with the Google Developer Program, which requires the scanning of government identity documents, the payment of a fee, and the agreement to Google’s non-negotiable and ever-changing terms and conditions. Developers of Android apps around the world — regardless of whether they distribute through F-Droid, some other commercial app store, or simply by uploading an apk to their web site — will be cut off from their users forever unless they comply. If this goes into effect, it is an extinction event for F-Droid.

And so to answer the original question, “how has the freedom of users of mobile phones changed since in 2010”, I’ll summarize by saying: it went up, and then it went down. And that’s where we are today.