Skip to content
The App Fair Project
Documentation Blog Apps

Blog

A Gatekeeper's Paradise: the App Fair response to the first review of the Digital Markets Act

- 22 min read - 4490 words

The European Commission has published its first review of the Digital Markets Act1, the landmark regulation that was supposed to break the stranglehold of Big Tech gatekeepers on app distribution. The accompanying Staff Working Document2 provides a detailed assessment of compliance across all designated gatekeepers. Despite the conclusion of the review being that the DMA “remains fit for purpose and has positive impact”3, after two years of enforcement proceedings, preliminary findings, and hundreds of millions of euros in fines, the bleak reality is that Apple remains the sole gatekeeper for every app installed on every iPhone in the world, and Google, emboldened by Apple’s consequence-free defiance, has now begun locking down Android.

Article 6(4)4 of the Digital Markets Act is Europe’s attempt to pry open the app distribution monopolies. As we argued in our FOSDEM 2026 talk, “Fear and Loathing in the App Stores,”5 the gatekeepers have every incentive to resist and sabotage this process, and the enforcement mechanisms have thus far proven inadequate to overcome their resistance. The DMA review itself confirms it: the gatekeepers are winning. (For a detailed synthesis of the ~450 stakeholder submissions to the Commission’s review consultation, see our summary and analysis of the DMA first review consultation.)

I. Article 6(4): What the DMA Was Supposed to Require

Section titled “I. Article 6(4): What the DMA Was Supposed to Require”

Article 6(4) of the Digital Markets Act mandates that designated gatekeepers:

“allow and technically enable the installation and effective use of third-party apps or app stores using, or interoperating with, their operating systems, and allow those apps or app stores to be accessed by means other than the gatekeepers’ relevant core platform services.”4

The intent is plain and unambiguous: users should be free to install apps from wherever they choose (alternative app stores, the web, or directly from developers) without being forced to submit to the gatekeeper’s procedures, accept their non-negotiable terms and conditions, and be subjected to their junk fees. Gatekeepers may implement security measures, but only to the extent that they are “strictly necessary and proportionate.”6

What Actually Happened: Apple’s Malicious Compliance

Section titled “What Actually Happened: Apple’s Malicious Compliance”

Before the DMA took effect, Apple’s App Store was the sole channel for distributing native apps on iOS and iPadOS.7 Article 6(4) was supposed to end this monopoly. But what Apple delivered instead is a masterclass in delay, obfuscation, malicious non-compliance, and outright defiance. Here is a condensed timeline of events:

January 25, 2024: Apple announces its DMA compliance plan.8 The centerpiece: a new “Core Technology Fee” (CTF) of EUR 0.50 per “first annual install” above one million downloads, applicable to all apps distributed outside the App Store. Their message to developers was: leave the App Store, and we will charge you for every user. Apple also introduces a “Notarization” process, a mandatory review of every app, regardless of distribution channel, through Apple’s own servers, and imposes eligibility requirements so onerous that most developers and aspiring marketplace operators cannot meet them.9

March 7, 2024: The DMA’s compliance deadline arrives. iOS 17.4 ships with the changes. In theory, alternative app marketplaces can now operate on iOS. In practice, marketplace operators must either post a EUR 1,000,000 standby letter of credit from an A-rated financial institution, or have been an Apple Developer Program member for two continuous years and have an app with over one million EU installs in the prior year.10 Nonprofit and open-source projects (including the App Fair Project), the very organizations that should benefit most from open distribution, are effectively locked out by these steep requirements. And their fallback option presents a comically Kafkaesque scenario: to be free of the gatekeeper requirements, you must first subject yourself to them.

March 18, 2024: The Commission hosts a DMA Compliance Workshop for Apple. Attendees (including this author) report an atmosphere of frustration and hostility.11 Apple’s representatives fend off questions by repeatedly invoking “user security, privacy and safety” while offering no technical substance.

March 19, 2024: The Coalition for App Fairness12 issues a statement describing Apple’s compliance plan as a “continued refusal to comply with the Digital Markets Act.”13

June 24, 2024: The Commission opens a formal non-compliance investigation into Apple’s Article 6(4) compliance, examining the business terms, fees, the “multi-step user journey for installing app stores and apps from the web,” and the eligibility requirements imposed on developers.14

April 23, 2025: The Commission finds Apple in breach of the DMA’s anti-steering provisions under Article 5(4) and imposes a EUR 500 million fine.15 On the same day, it issues preliminary findings of non-compliance on Article 6(4), the alternative distribution obligation.16 Apple appeals the fine.17

June 26, 2025: In response to the fine, Apple announces revised EU business terms, replacing the CTF with a “Core Technology Commission” (CTC), a 5% levy on all sales of digital goods and services.18 Developers report that the new system involves three separate fees for certain downloads.19

January 1, 2026: Apple moves all EU developers to a unified business model based on the CTC.20 The per-install CTF is nominally eliminated, but the new commission structure ensures Apple continues to extract rents from every transaction, regardless of distribution channel.

January 2026: At the Commission’s DMA Compliance Workshop, the Coalition for App Fairness12 reports that Apple’s representatives “dodged questions” and demonstrated that they “have no intent to comply with the law.”21

The Fundamental Problem: Apple Is Still the Sole Gatekeeper

Section titled “The Fundamental Problem: Apple Is Still the Sole Gatekeeper”

Through all of these iterations (CTF, CTC, Notarization, eligibility requirements), one fact has remained constant: Apple remains the sole, mandatory intermediary for every app distributed to every iPhone in the world. Every developer, whether distributing through the App Store, an alternative marketplace, or the web, must:

  1. Enroll in the Apple Developer Program, paying Apple’s annual fee and agreeing to Apple’s non-negotiable terms and conditions.
  2. Submit every app to Apple through App Store Connect for “Notarization,” Apple’s euphemism for what is, in substance, the same gatekeeper review process that existed before the DMA, just with slightly loosened restrictions.10
  3. Accept Apple’s unilateral right to reject, revoke, or delist any app at any time, for any reason Apple deems appropriate.

As the Free Software Foundation Europe has meticulously documented, Apple’s Notarization process “represents the very gatekeeping behaviour the DMA was written to prevent.”10 The process requires all apps to be “submitted to Apple’s servers for scanning, approval, and cryptographic re-signing before installation.” Developers of alternative app stores have “no control over the apps they can distribute in their store, as Apple still holds gatekeeping power through notarisation.”

This is not compliance: it is the opposite of compliance. The DMA requires that app distribution be possible without gatekeeper intermediation. Apple has ensured that gatekeeper intermediation remains mandatory, total, and inescapable, and then relabelled it “Notarization” in place of “App Review.”

II. Google’s Android Lockdown: Emboldened by Apple’s Impunity

Section titled “II. Google’s Android Lockdown: Emboldened by Apple’s Impunity”

Regardless of whether the Commission’s tepid response to Apple’s defiance has been due to intentional permissiveness or political pressure, its consequences are now becoming starkly clear. Google has watched Apple scoff at the Digital Markets Act with impunity for two years, being subject to only minuscule fines relative to their revenues, and emerge with its iron-fisted monopoly on app distribution fully intact. And Google has drawn the obvious conclusion: if Apple can get away with it, so can we.

The Android Developer Verification Program

Section titled “The Android Developer Verification Program”

In September 2025, Google quietly introduced its “Developer Verification” policy22, and in March 2026, the program was rolled out to all developers worldwide.23 The program establishes, for the first time in Android’s history, Google as the central gatekeeper for the distribution of all apps on Android Certified Devices, encompassing over 95% of Android devices globally.24

Here is what the program requires:

  • Every developer who wishes to distribute an app on a certified Android device, whether through the Play Store, an alternative app store like F-Droid, or by direct download, must register with Google through either the Play Console or the new Android Developer Console.23
  • Registration requires submitting government-issued identification, paying fees, and accepting Google’s non-negotiable terms and conditions.24
  • Every app must be “registered,” that is, associated with a verified developer identity in Google’s database.23
  • Beginning in September 2026, unregistered apps will be blocked from installation on certified Android devices unless the user navigates an “advanced flow” that includes a 24-hour waiting period and a device reboot.25 This will start being enforced in a select group of vulnerable countries, followed by rolling enforcement worldwide in 2027.23

Google has framed this as a security measure, claiming to have found “90 times more malware” in apps installed outside the Play Store.23 But the program’s scope reveals its true purpose: it applies universally, to all apps from all sources, including legitimate app stores that have their own robust security review processes. F-Droid, which has maintained an exemplary security record through transparent verification pipelines, reproducible builds, and community audits for over a decade, is treated identically to a malware distribution network.

The Keep Android Open Movement

Section titled “The Keep Android Open Movement”

On February 24, 2026, a coalition of 37 organizations (now over 60) from over 20 countries around the world, including the Electronic Frontier Foundation, the Free Software Foundation Europe, the Software Freedom Conservancy, F-Droid, Vivaldi, Fastmail, and Article 19, published an open letter opposing the program. The letter contests Google’s reassurances that “sideloading is not going away”, responding that “direct and unintermediated installation of software of your choosing on the device that you own, is indeed going away if they follow through.”24

The EFF’s Corynne McSherry has warned that the program “creates a comprehensive database of developer identities worldwide,” making this information vulnerable to government subpoenas and warrants, and placing at particular risk “VPN developers in jurisdictions where privacy tools invite legal scrutiny, journalists and activists building documentation software, and researchers who publish under pseudonyms.”26

Moral Hazard

Section titled “Moral Hazard”

Apple openly defied the DMA, and has gotten away with it (so far). The Commission responded with proceedings that have dragged on for two years without a final resolution on Article 6(4). Apple was fined EUR 500 million (an amount it earns in approximately six hours27) and promptly appealed. And through it all, Apple’s Notarization process has ensured that Apple remains the sole gatekeeper for every app on every iPhone.

Google watched all of this, and decided to follow suit.

This is the very definition of “moral hazard”: when the consequences of defiance are negligible, defiance becomes rational. The Commission’s failure to enforce Article 6(4) with sufficient speed and severity has not merely allowed Apple to maintain its monopoly: it has created a new one. The Android ecosystem, which was the one remaining platform where true alternative distribution was possible, where F-Droid and the App Fair Project could operate freely and developers could distribute apps without any gatekeeper’s permission, is now being locked down. The consequence of the Commission’s restraint is not one closed ecosystem, but two.

Security Theater

Section titled “Security Theater”

Both Apple and Google have invoked the same escape hatch to justify their gatekeeping: the DMA’s allowance for measures that are “strictly necessary and proportionate” to protect “the integrity of the hardware or operating system.”6 Apple claims that Notarization is essential for platform security. Google claims that Developer Verification is needed to combat malware. In both cases, these security claims are asserted but never demonstrated.

Apple has never published independent evidence that its Notarization process catches threats that would not be caught by alternative security mechanisms (such as the decentralized curation model employed by F-Droid, which relies on reproducible builds, open-source auditing, and community review). Google’s claim that sideloaded apps contain “90 times more malware” than Play Store apps23 conflates the source of an app with the mechanism of installation. The relevant question is not whether unscreened APKs downloaded from random websites contain more malware than Play Store apps: it is whether apps distributed through legitimate alternative channels with their own review processes (F-Droid, the Samsung Galaxy Store, or direct distribution by established developers) pose a meaningfully different security risk. Neither Apple nor Google has provided evidence that they do.

The “strictly necessary and proportionate” standard is supposed to be a narrow exception, not a blanket authorization. But in practice, it has become an unfalsifiable get-out-of-jail-free card. The gatekeepers claim it is to fight “malware” while studiously avoiding defining the term, leaving it to mean whatever they want it to mean, and leaving them to change the definition and move the goalposts whenever they choose.

The gatekeepers assert that their measures are necessary for security, and because no independent body has the authority to scrutinize those claims, the assertion stands unchallenged. There is no adversarial process, no independent technical review, and no mechanism for developers or alternative distributors to contest the gatekeeper’s security rationale.

This problem extends well beyond app distribution. Apple has invoked the same security justification to resist its interoperability obligations under Article 6(7),28 and Google could easily do the same. If “security” is an unchallengeable trump card, then every DMA obligation can be circumvented simply by asserting that compliance would create a security risk.

III. The Path Forward: Total Disintermediation

Section titled “III. The Path Forward: Total Disintermediation”

The DMA’s Article 6(4) contains the right principle. The problem is not the law. The problem is that the law has been allowed to be interpreted in a way that permits “compliance” measures that are functionally indistinguishable from the gatekeeping behavior they were supposed to eliminate.

The simple solution is to adhere to a single fundamental principle: app distribution must be possible with no gatekeeper intermediation whatsoever.

What “No Gatekeeper Intermediation” Means

Section titled “What “No Gatekeeper Intermediation” Means”

  1. No mandatory registration with the gatekeeper. A developer should not be required to enroll in any program operated by the platform vendor, pay any fee to the platform vendor, or agree to any terms and conditions imposed by the platform vendor, as a precondition for distributing software to users of that platform. This applies equally to Apple’s Developer Program and Google’s Developer Verification.

  2. No mandatory review or approval by the gatekeeper. The platform vendor should have no right to review, approve, reject, or revoke any app distributed outside its own app store. Apple’s “Notarization” and Google’s “Verification” are euphemisms for the same thing: a gatekeeper veto over all software distribution. This veto must end.

  3. No technical barriers to direct installation. Users should be able to install software (what is often misleadingly termed as “sideloading”29) by the same mechanism they install any other file: by downloading it and opening it. On every desktop and laptop operating system, installing software from arbitrary sources is the default. It should be the default on mobile platforms as well. Your computer is your computer, regardless of whether it is in your pocket or on your desk.

  4. Alternative app stores must be able to operate independently. Free and open-source app stores like the App Fair Project and F-Droid, as well as commercial marketplaces like the Samsung Galaxy Store and Epic Games Store alike, must be able to distribute apps without any dependency on the platform vendor’s infrastructure, approval processes, or fee structures. The App Fair Project’s own experience demonstrates how far we remain from this ideal: Apple’s eligibility requirements, requiring either a million-euro letter of credit or a million prior downloads within the EU, are designed to ensure that only large, well-capitalized corporations can operate alternative marketplaces.11

What the Commission Must Do

Section titled “What the Commission Must Do”

  1. The non-compliance investigation into Apple’s Article 6(4) compliance has been open since June 2024, nearly two years.14 It is time for a final decision, and that decision must establish the principle of total disintermediation: that no developer should be required to interact with, pay, or submit to the gatekeeper in order to distribute software to users of that platform.

  2. The Commission must also act preemptively on Google’s Android Developer Verification program. MEP Schaldemose’s question30 deserves an answer: mandatory developer registration for all apps, including those distributed outside the Play Store, is plainly incompatible with Article 6(4). The Commission should not wait until September 2026 to begin proceedings. It should act now.

  3. The Commission should establish an independent review mechanism for gatekeepers’ security claims, with the burden of proof squarely on the gatekeeper to demonstrate that their measures are, in fact, strictly necessary and proportionate. Without such a mechanism, the security exception will continue to be used as an easy tool to avoid compliance and sabotage the principles of the DMA.

  4. Finally, the Commission should consider whether its enforcement tools are adequate. A EUR 500 million fine against a company with annual revenues exceeding EUR 350 billion27 is not a deterrent: it is a licensing fee. If gatekeepers can pay fines and maintain their monopolies, fines are not working. The Commission has the power under the DMA to impose structural remedies.31 It is time to consider using them.

Conclusion

Section titled “Conclusion”

The DMA was enacted to ensure that digital markets are “fair and contestable.”4 Two years into enforcement, Apple has turned “Notarization” into “App Review” with a different name, and Google has decided that if Apple can be the sole gatekeeper for iOS, then Google can be the sole gatekeeper for Android too.

The Commission’s first review of the DMA acknowledges that alternative app stores “have already emerged and are continuously expanding their range.”1 This is true, but it obscures the fundamental reality: every one of those alternative stores operates at the pleasure of Apple, subject to Apple’s fees, Apple’s review process, and Apple’s unilateral right to shut them down. That is not an open market: it is a managed concession.

The clock is ticking: Google’s Android Developer Verification enforcement begins in September. If the Commission does not act decisively, not just against Apple’s two-year-old non-compliance, but against Google’s impending lockdown, then the DMA will have achieved the very opposite of its purpose. Instead of opening the app distribution market to fair competition, it will have presided over the closing of the last open platform.

Is it our fate that all mobile software be forever gated by the whims of two opaque and unaccountable profit-seeking corporations? If that future is to change, then change needs to start here and now, before these gatekeepers become inextricably entrenched. The European Commission and the Digital Markets Act team should consider their place in history and do the right thing for both their own businesses and consumers, as well as for the other nations throughout the world whose regulatory bodies are taking their their cues from the “Brussels Effect”.

The App Fair Project is a nonprofit organization building free and open-source app marketplace infrastructure. Learn more at appfair.org.

Footnotes

Section titled “Footnotes”

  1. European Commission, “Report from the Commission to the European Parliament, the Council, and the European Economic and Social Committee on the first review of the Digital Markets Act,” COM(2026) 178 final, published April 2026. https://digital-markets-act.ec.europa.eu/consultation-first-review-digital-markets-act_en 2

  2. European Commission, “Commission Staff Working Document accompanying the Report on the first review of the Digital Markets Act,” SWD(2026) 123 final, published April 2026. https://commission.europa.eu/publications/working-documents-2026_en

  3. “Review highlights Digital Markets Act remains fit for purpose and has positive impact”, press release published April 27, 2026 https://ec.europa.eu/commission/presscorner/detail/en/ip_26_914

  4. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector (Digital Markets Act), Article 6(4). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925 2 3

  5. App Fair Project, “Fear and Loathing in the App Stores,” FOSDEM 2026 main track talk, Brussels, February 1, 2026. Examines how Apple and Google maintain their app distribution monopolies despite regulatory intervention. https://appfair.org/blog/fear-and-loathing-in-the-app-stores/

  6. SWD(2026) 123 final, p. 20. The document specifies that gatekeepers “are free to implement measures to protect security and integrity and ensure compliance with other laws to the extent that these measures are strictly necessary and proportionate.” https://commission.europa.eu/publications/working-documents-2026_en 2

  7. SWD(2026) 123 final, p. 20. “Before the DMA, Apple’s App Store was the only app store on iOS and iPadOS from which native apps could be downloaded.” https://commission.europa.eu/publications/working-documents-2026_en

  8. Apple Inc., “Apple announces changes to iOS, Safari, and the App Store in the European Union,” Apple Newsroom, January 25, 2024. https://www.apple.com/newsroom/2024/01/apple-announces-changes-to-ios-safari-and-the-app-store-in-the-european-union/

  9. Apple requires alternative marketplace operators to either provide a EUR 1,000,000 standby letter of credit from an A-rated financial institution, or have been an Apple Developer Program member for two continuous years with an app exceeding one million first annual installs in the EU. See Apple Developer, “Getting started as an alternative app marketplace in the European Union.” https://developer.apple.com/support/alternative-app-marketplace-in-the-eu/

  10. Free Software Foundation Europe, “Legal Corner: Apple’s ‘notarisation’ — blocking software freedom of developers and users,” November 5, 2025. The FSFE details how Apple’s notarisation process requires all apps to be “submitted to Apple’s servers for scanning, approval, and cryptographic re-signing before installation,” regardless of distribution channel. https://fsfe.org/news/2025/news-20251105-01.en.html 2 3

  11. App Fair Project, “Apple DMA Compliance Workshop,” March 18, 2024. First-hand account of the Commission-hosted workshop on Apple’s DMA compliance. https://appfair.org/blog/digital-markets-act-workshop/ 2

  12. Note: The “Coalition for App Fairness” (appfairness.org) and the “App Fair Project” (appfair.org) are distinct and completely unrelated entities. 2

  13. Coalition for App Fairness (unrelated to the App Fair Project12), “CAF Slams Apple’s Continued Refusal to Comply with the Digital Markets Act,” March 19, 2024. https://appfairness.org/caf-slams-apples-continued-refusal-to-comply-with-the-digital-markets-act/

  14. European Commission, “Commission sends preliminary findings to Apple and opens additional non-compliance investigation against Apple under the Digital Markets Act,” Press Release, June 24, 2024. The investigation examines Apple’s business terms, fees, the multi-step user journey, and developer eligibility requirements. https://ec.europa.eu/commission/presscorner/detail/en/ip_24_3433 2

  15. European Commission, “Commission finds Apple and Meta in breach of the Digital Markets Act,” Press Release, April 23, 2025. Apple was fined EUR 500 million for violating Article 5(4) anti-steering provisions. https://digital-markets-act.ec.europa.eu/commission-finds-apple-and-meta-breach-digital-markets-act-2025-04-23_en

  16. European Commission, “Commission closes investigation into Apple’s user choice obligations and issues preliminary findings on rules for alternative apps under the Digital Markets Act,” Press Release, April 23, 2025. https://digital-markets-act.ec.europa.eu/commission-closes-investigation-apples-user-choice-obligations-and-issues-preliminary-findings-rules-2025-04-23_en

  17. Apple filed an appeal against the EUR 500 million fine (Case T-438/25) on July 7, 2025. See CNBC, “Apple appeals 500 million euro EU fine over App Store policies,” July 7, 2025. https://www.cnbc.com/2025/07/07/apple-appeal-eu-fine-app-store.html

  18. Apple announced the Core Technology Commission (CTC) as successor to the Core Technology Fee, a 5% levy on digital goods and services sold through apps distributed from any channel. See RevenueCat, “Apple’s June 2025 EU update: one entitlement, three fees, and CTF’s 2026 sunset,” June 2025. https://www.revenuecat.com/blog/growth/apple-eu-dma-update-june-2025/

  19. CNBC, “Apple reveals complex system of App Store fees to avoid EU fine of 500 million euro,” June 26, 2025. Reports that some developers now face three separate fees for a single download. https://www.cnbc.com/2025/06/26/apple-eu-500-million-euro-app-store.html

  20. Apple Developer, “Update on apps distributed in the European Union.” Details the unified CTC-based business model effective January 1, 2026. https://developer.apple.com/support/dma-and-apps-in-the-eu/

  21. Coalition for App Fairness (unrelated to the App Fair Project12) statement following Apple’s January 2026 DMA Compliance Workshop, in which Apple’s representatives reportedly “dodged questions” and demonstrated “no intent to comply with the law.” See The Register, “Devs say Apple still flouting EU’s DMA six months on,” December 16, 2025. https://www.theregister.com/2025/12/16/apple_dma_complaint/

  22. F-Droid, “Google Developer Verification Policy and the DMA,” September 22, 2025. Initial analysis of Google’s developer verification policy and its implications for the DMA. https://f-droid.org/2025/09/22/google-developer-verification-policy-and-the-dma.html

  23. Google, “Android developer verification: Rolling out to all developers on Play Console and Android Developer Console,” Android Developers Blog, March 2026. https://android-developers.googleblog.com/2026/03/android-developer-verification-rolling-out-to-all-developers.html 2 3 4 5 6

  24. F-Droid, “An Open Letter Opposing Android Developer Verification,” February 24, 2026. Signed by 37 organizations including the EFF, FSFE, Software Freedom Conservancy, Vivaldi, Fastmail, and Article 19. https://f-droid.org/2026/02/24/open-letter-opposing-developer-verification.html 2 3

  25. Google’s “advanced flow” for installing unregistered apps requires a multi-step process including a 24-hour waiting period and a device reboot. See The Hacker News, “Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams,” March 2026. https://thehackernews.com/2026/03/google-adds-24-hour-wait-for-unverified.html

  26. Electronic Frontier Foundation, as quoted in WinBuzzer, “EFF, F-Droid open letter: Google mandatory Android developer registration,” February 25, 2026. https://winbuzzer.com/2026/02/25/eff-f-droid-open-letter-google-mandatory-android-developer-registration-xcxwbn/

  27. Apple reported annual revenue of approximately USD 391 billion (approximately EUR 360 billion) in fiscal year 2025. A EUR 500 million fine represents roughly 0.14% of annual revenue, or approximately six hours of revenue. See Apple Inc., “Apple Reports Fourth Quarter Results,” October 2025. https://investor.apple.com/sec-filings/default.aspx 2

  28. Apple has appealed both of the Commission’s March 2025 specification decisions on interoperability under Article 6(7) (Cases T-354/25 and T-359/25). See also FSFE, “Apple keeps challenging its interoperability obligations under the DMA,” April 20, 2026. https://fsfe.org/news/2026/news-20260420-01.html

  29. The term “sideloading” is itself a rhetorical device designed to make direct software installation sound illegitimate. On desktop platforms (Windows, macOS, Linux), installing software from any source is simply called “installing software.” No one speaks of “sideloading” a program onto their laptop. The term exists solely to normalize the idea that mobile devices should be closed platforms where the manufacturer controls all software distribution.

  30. Christel Schaldemose (S&D), Written Question E-001419/2026 to the European Commission, submitted April 8, 2026. Asks whether mandatory developer registration is compatible with the DMA and how the Commission will prevent security requirements from circumventing DMA obligations. https://www.europarl.europa.eu/doceo/document/E-10-2026-001419_EN.html

  31. Under Article 18 of the DMA, the Commission may impose behavioral or structural remedies in cases of systematic non-compliance, including requiring the divestiture of a business or parts of it. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925

Fear and Loathing in the App Stores

- 16 min read - 3255 words

I presented a talk on the FOSDEM main track in Brussels last weekend titled “Fear and Loathing in the App Stores” (abstract). It was amazing to see so much interest in the topic, and I had a lot of great conversations afterwards with folk who shared the alarm at the lack of choices, competition, and freedom.

Following is my draft of the talk. My speaker notes weren’t working, so the talk as presented was somewhat more extemporaneous that I had planned, but it mostly followed along the same points as the draft.

Introduction

Section titled “Introduction”

Hello everyone. I’m here today to talk about mobile devices, app stores, and software freedom.

The majority of humans carry around a little computer in their pocket. These devices are pretty magical: they are packed with high-tech cameras and microphones and sensors and networking and communication hardware.

They also store nearly every personal detail about you: who you are, who your friends and family are, where you are, where you are going, and your favorite books and music and movies and web sites.

But do you own this computer? Truly own it? Can you do whatever you want with it? Is it actually yours, or do you merely possess it?

History

Section titled “History”

The purpose of a computer is to run software. All that fancy equipment is useless unless there is software that is driving it and telling it what to do.

How does software get on a computer? When I first started programming in 1982 on my TRS-80, I subscribed to a magazine called “The Rainbow”1 that would publish pages of source code that I would tediously transcribe into the computer’s BASIC interpreter — mostly games and graphics demos and things like that. Later on, I got a cassette peripheral that would allow loading programs from magnetic tape. Then onto floppy disks, and so on.

Nowadays, software distribution through physical media is completely gone. It is almost inconceivable that software would be obtained through any means other than downloading it from the internet. The advent of the modern smartphone also coincided with the advent of “app stores” that collect and bundle catalogs of downloadable programs.

What is an app store? It is essentially just an app that can download and install other apps. It also has other useful features, like the ability to browse and search for applications, to read and post reviews, and to update to new versions of the app. But ultimately, an app store is just an app that installs apps.

So far I’ve just been telling you things you probably already know.

A Tale of Two Platforms: the Duopoly

Section titled “A Tale of Two Platforms: the Duopoly”

The state of the world in 2026 is that nearly every one of these pocket computers runs one of two operating systems: Apple’s iOS, which powers their iPhone and iPad devices, or Google’s Android, which powers their own line of Pixel devices, as well as a myriad other devices from other manufactures that either license Android Certification or that build on top of the foundational Android Open-Source project (AOSP).

Android is installed on around 75% of all smartphones worldwide, with iOS taking up the remainder; this ratio varies greatly on a per-country basis, with the iPhone being more widely-used in richer countries due it is higher price. But regardless, these two companies form a global duopoly, controlling the operating systems that are installed on over 95% of all smartphones worldwide outside of China.

Apple

Section titled “Apple”

The first “app store” for this modern generation of smartphones was called Cydia, and was developed by Jay Freeman — also known as “saurik” — in 2008.2 It was a thriving marketplace with thousands of apps and millions of users.

Apple then released iOS 2.0 that contained their own bundled App Store app and suddenly claimed the exclusive right of software distribution on their phones. As the same time, they banished Cydia by locking down the operating system to break the mechanism that Cydia had been using to install software. Cydia managed to limp along for a few more years by finding workarounds to get their software installed, but ultimately when your operating system vendor is determined to crush you, you will likely always lose.

From then on, and until very recently, the Apple App Store has been the one and only app store on iPhones and other iOS devices.

Google

Section titled “Google”

As for the other half of the duopoly, Google’s Android has historically been more open. Android has long provided APIs for developers to build their own “app store”, and many have done exactly that over the years. These stores might be commercial, like the Amazon Appstore and Samsung Galaxy Store, or they might be non-commercial, like F-Droid.

But despite the ability to have additional app stores, it was never a level playing fields: the terms of Android Certification and its related contracts required that the Google Play store be the one and only app store that is pre-installed and prominently positioned on Android devices.

Apple + Google

Section titled “Apple + Google”

Despite supposedly being competitors in the smartphone space, Apple and Google’s actual marketplace policies are startlingly similar. They both require developers to register with their respective portals, pay a fee, agree to lengthy, nonnegotiable, and ever-changing terms and conditions, and then submit themselves to an opaque and indeterminate “app review” process whenever they upload a new app or submit an update to an existing app.

Developers willing to undergo all of this get the benefit of reaching the billions of users served by these marketplaces, but at the cost of a 30% fee skimmed from the top of any and all digital transactions that take place through the app.

These enormous fees have resulted in some of the most profitable business divisions on the history of technology. Google’s play store department has around 70% profit margin, and Apple’s app store is almost 80%. These margins are extraordinary and unprecedented.

Why We Fight

Section titled “Why We Fight”

So what’s the actual problem? Sure, we don’t have any real competition, and sure we have to live under the yoke of capricious and authoritarian tech overlords, but what actual harm is being done here?

In the free software community, we often think of free software as an end that is self-justifying. We love free software because of course we do. But why does the world need free software? Why does the world need open source?

Free software provides a very real and tangible defense against some of the harms that are actively being perpetrated against millions of smartphone users on a daily basis.

A Silent Hazard: Normalized Malware

Section titled “A Silent Hazard: Normalized Malware”

The exorbitant digital taxes I mentioned have led to commercial app developers eschewing the practice of selling their apps directly, and instead resorting to shady tactics to extract monetization from users through other means. One common avenue for this is ad-tech: making money by displaying advertisements to users.

This by itself can be quite profitable, since unlike the web, it is all but impossible to block ads in native applications. And on top of this, the ad-tech that is utilized by these apps is invariably communicating with data brokers, surreptitiously and non-consensually building a profile on users based on every piece of information they can get their hands on.

And that can be a lot of data: depending on what permissions an app can plausibly request, an app might have access to your location, your contacts, your calendar, your photos, and much more. All this data can be siphoned off without your knowledge or consent, and goes towards assembling a profile of you for targeted advertisement, for tracking, and for surveillance, and retained indefinitely, for who knows what future purpose, years or decades down the road. All without your consent or knowledge.

This is malware in its purest form, but these apps are not only accepted, but oftentimes promoted, by the first-party app stores.

A Solution: Free Software

Section titled “A Solution: Free Software”

If we could see inside these apps, we could tell what they were doing any how they are doing it, then we would be able to identify which apps are respecting our rights and which are clandestinely stealing our intimate personal information.

But apps distributed to the app stores are not distributed with their source code, but rather are compiled down into opaque binary blobs whose code is obfuscated or encrypted. Laws like the Digital Millennium Copyright Act in the United States — and the various equivalents subsequently passed in most aligned countries — make it a felony to try to break open these apps to study and reveal their inner workings.

So, free software to the rescue, right? Once could just avoid these hazards by having a personal policy of only ever installing free and open-source software on their devices. It might be tedious to have to cross reference every app you want to install from the Goole Play Store or Apple App Store with some externally curated list of open-source apps, but would be possible, right?

Except, even in cases where you have winnowed a list of potential apps down to only contain ones that are free and open source, how do you actually validate this list? After all, you are just getting an obfuscated or encrypted blob from the app stores. Who is to say that the source code that the creator claimed corresponded to your app is actually complete, and hasn’t had certain malicious bits of it stripped out of it in order to pass scrutiny?

Enter F-Droid: Trust, but verify

Section titled “Enter F-Droid: Trust, but verify”

For 15 years, there has been an app store for Android called F-Droid. As I mentioned previously, there are many app stores on Android, but F-Droid is special: it not only has a policy of including only free and open-source applications, it also has the means to prove it.

When an app is submitted for including in the F-Droid catalog, it is built from the source code, either by the F-Droid servers themselves, or by verifying the reproducibility of a pre-built binary that the developer submits. Reproducibility means that anyone — not just F-Droid — is able to take the source code, build it themselves, and verify, byte-for-byte, that the compiled artifact matches the app that you are installing on your device. In this way, users can have real trust in the applications they choose to let into their lives.

A New Hope for iOS: the Digital Markets Act

Section titled “A New Hope for iOS: the Digital Markets Act”

F-Droid is great, but it only helps the Android half of the market. iPhone users were still stuck with the “trust-me-bro” security that they have become accustomed to in that App Store exclusive environment. At least, that was until the advent of the EU’s Digital Markets Act, which was proposed in 2020, passed in 2022, and went into enforcement in March of 2024.3

One of the requirements of the DMA was that the “digital gatekeepers” of “online intermediation services” — i.e., Apple and Google with their app stores — be required to open them up to competition and interoperability. For Apple, this meant that for the first time since the demise of Cydia, they would have to permit additional app stores onto their devices.

So the outlook was rosy. We could finally have complete control of the software we let into our lives, regardless of which ecosystem we find ourselves in?

The Empire Strikes Back: the gatekeepers’ counter-assault on software freedom

Section titled “The Empire Strikes Back: the gatekeepers’ counter-assault on software freedom”

Unfortunately, Apple wound up implementing a twisted misinterpretation of the rules. Their claimed compliance was to establish a program they called “Alternative App Marketplaces”,4 but they were in no way independent. The marketplaces would need to apply to Apple to be vetted and approved, provide 1 million euros in the form of a letter of credit, and agree to onerous junk fees and persistent oversight.

For developers, they would continue to have to apply to the Apple developer program, pay an annual $100 developer fee, agree to the same nonnegotiable terms and conditions as if they were distributing on Apple’s App Store, and continue to submit their apps and updates though the Apple App Review process, even to get them distributed through the alternative app marketplace of their choosing. It is in no way, shape, or form complying with either the spirit or letter of the DMA, and they’ve gotten away with it without any regulatory repercussions.

Despite all these hurdles and barriers, some new marketplaces have managed to emerge. AltStore is one of them, and its catalog is growing to include new and novel applications that never would have seen the light of day on the Apple App Store.

However, it continues to be impossible to distribute trustworthy and reproducibly built open-source applications through the alternative app marketplace scheme, because when a developer submits their app to Apple and waits for the manual app review process — or “notarization” as they term it — the end result is that the approved app will be wrapped in an encrypted package and signed by Apple themselves, and only then is the bundle passed off to the Alternative App Marketplace for subsequent distribution through to the end user.

Neither the user, not the app marketplace itself, is ever permitted to see inside this encrypted bundle. Not only does this make it impossible for the user to trust and verify the contents of an app that claims to be free and open source, it also makes it impossible for the app marketplace itself to comply with one of Apple’s core requirements for alternative distribution, which is that the marketplace vouch that all apps they distribute are completely free of malware. But this is an impossible requirement, because they forbid the marketplace from examining the apps themselves.

Google: I have altered the deal (pray I don’t alter it further)

Section titled “Google: I have altered the deal (pray I don’t alter it further)”

But at least we still have Android and alternatives like F-Droid, right?

Well, not to be out Darth-Vadered by Apple, Google last year announced out of the blue that it was no longer going to be possible to independently distribute applications without registering centrally with Google.5 Starting this year, they say that developers will be required to create an account with Google, verify their identity, pay a fee, agree to terms and conditions, and register each and every one of their applications centrally with Google. Failure to do so will result in Android Certified devices refusing to install the app at all.

This is an existential threat to software freedom in general, but also to F-Droid specifically.6 We cannot require that developers register with Google, and many will not. If this policy gets implemented, the world will be deprived of some of the most trustworthy and privacy-respecting applications every created.

So instead of inching forward, we are suddenly lurching backwards.

Consolidating Power

Section titled “Consolidating Power”

As the big tech duopoly increasingly tightens their stranglehold over mobile software, we need to be acutely aware of what is at stake with an app store monoculture. This centralization by unaccountable actors has real global consequences.

And this isn’t just about the prevalence bad software. This is also about what software isn’t available. It is about what is banned, blocked, or never approved in the first place.

Your right to protest (Hong Kong 2019), to hold free and fair elections (Russia 2021), and to protect yourself from police brutality (US 2025) is directly jeopardized by the centralized kill switches these companies hold, and their willingness to use it when extra-legal pressure is applied by powerful actors. This couldn’t happen in an open and competitive marketplace.

How We Fight: Make your voice heard

Section titled “How We Fight: Make your voice heard”

The prospects for any meaningful regulation happening on my own home country over the next few years are next to zero. As you have probably already guessed, I’m from the United States.

However, since I’m speaking to a predominantly European crowd, you have the fortune of still having strong regulatory bodies and policymakers that are receptive to the needs of their citizens. Reach out to them. Visit https://keepandroidopen.org to find out who you can contact and the best way to go about it.

And on an individual level, if you are a developer: create free software and distribute it first through the alternative stores: through F-Droid for Android and through AltStore for iOS. You can always distribute it additionally through the first-party app stores afterwards, but the best way to show your support for the alternatives is to make them no longer be “alternatives”, and it is only with your high-quality software they they can thrive and expand.

And even if you are not a developer, you should still be using these stores. Download and install F-Droid on your Android phone, or AltStore on your iPhone. They cost nothing, and the mere act of having these present on your device helps chip away at the self-perceived indomitability of the tech giants.

And who knows, before too long, they may become your primary — or only — source of applications.

Thank you for your time, and enjoy the resort of FOSDEM!

Footnotes

Section titled “Footnotes”

Footnotes

Section titled “Footnotes”

  1. The Rainbow was a monthly magazine dedicated to the TRS-80 Color Computer, a home computer made by Tandy Corporation. Sources: Wikipedia — The Rainbow (Magazine), Archive.org — Rainbow Issue 111

  2. Cydia was first released by Jay Freeman (saurik) on February 28, 2008, for iPhone OS 1.1.x, providing jailbroken iPhone users with an alternative app store before Apple’s official App Store launched later that year. Sources: Wikipedia - Cydia, Wikipedia - Jay Freeman, iDownloadBlog - Cydia Store Shutdown FAQ

  3. The Digital Markets Act (DMA) was proposed by the European Commission in December 2020, formally adopted by the European Parliament on July 5, 2022, signed into law on September 14, 2022, and came into force on November 1, 2022. The regulation started applying on May 2, 2023, with gatekeepers designated on September 6, 2023. Full compliance became mandatory on March 6-7, 2024. Sources: Wikipedia - Digital Markets Act, European Commission - Digital Markets Act, TechPolicy.Press - DMA Roundup March 2024

  4. Apple announced changes to iOS, Safari, and the App Store in the European Union on January 25, 2024, to comply with the Digital Markets Act. The changes included introducing “Alternative App Marketplaces” (also called alternative app distribution), new payment options, and alternative browser engines. However, the implementation required marketplace developers to provide a €1 million letter of credit, submit to Apple’s notarization process, and pay various fees including the Core Technology Fee. The European Commission opened non-compliance investigations against Apple on March 25, 2024, and sent preliminary findings on June 24, 2024, that Apple’s business terms continued to impose anti-competitive provisions. Sources: Apple Newsroom - EU Changes Announcement, Brookings - Overseeing App Stores Under the DMA, TechPolicy.Press - Understanding Apple Non-Compliance

  5. Google announced in August 2025 that it would require all Android app developers to undergo identity verification and register with Google, regardless of whether they distribute through Google Play or alternative channels. The policy requires developers to provide legal name, address, email, phone number, and government-issued ID, plus pay the $25 registration fee. Early access began in October 2025, with full enforcement starting in September 2026 in Brazil, Indonesia, Singapore, and Thailand, followed by global rollout in 2027. Sources: Announcement - Android Developer Blog, Keep Android Open

  6. F-Droid published a detailed response to Google’s developer registration decree on September 29, 2025, warning that the policy represents an existential threat to the project and to software freedom on Android. Source: F-Droid - Google’s Developer Registration Decree, F-Droid - What We Talk About When We Talk About Sideloading

App Fair Retrospective, 2025

- 5 min read - 991 words

As 2025 draws to a close, it’s a good moment to pause and reflect on a year that proved to be both challenging and energizing for the App Fair Project. Building on the momentum of last year’s retrospective, 2025 saw the project deepen its advocacy work, expand its public presence, and respond to some of the most consequential shifts in the app ecosystem in over a decade.

Free App Stores and FOSDEM 2025

Section titled “Free App Stores and FOSDEM 2025”

At FOSDEM 2025 in February I presented “Free App Stores and the Digital Markets Act.” The talk focused on how the DMA reshapes the legal and technical landscape for app distribution in Europe, and what those changes mean for free software, alternative app stores, and user autonomy. You can watch the presentation and read the transcript at FOSDEM 2025: Free App Stores and the Digital Markets Act.

Earlier I had the pleasure of being interviewed for the FSFE’s Software Freedom Podcast by Bonnie Mehring1, where we discussed the App Fair Project, the role of regulation in restoring balance to app ecosystems, and why distribution freedom matters for both developers and users. Listen to the complete Software Freedom Podcast interview.

A Year of Public Engagement

Section titled “A Year of Public Engagement”

This year I joined the board of the F-Droid project. The App Fair Project takes much of its inspiration from F-Droid, and we regard it as a sister project with much wisdom and experience to share from its 15 years of providing free and open-source software to the Android community.

In October, I joined a panel at the Free Software Foundation’s 40-year anniversary celebration2, alongside representatives from the FSF, the Electronic Frontier Foundation, and Sugar Labs. It was inspiring to reflect on four decades of free software advocacy, and to situate today’s struggles over app stores and gatekeepers within that longer history. A write-up of the panel is available at FSF40-panel.

In November, I attended the Digital Markets Act enforcement symposium3, organized by the free-expression organization ARTICLE 19. I participated as a technical expert, helping to assess the issues and proposals raised by presenters at a time when regulators, advocates, and technologists are grappling with how DMA enforcement should work in practice.4 These conversations underscored that while the DMA is already having real effects, sustained technical and policy engagement is essential to ensure its goals are realized.

Google’s Developer Registration Decree

Section titled “Google’s Developer Registration Decree”

One of the defining moments of 2025 came in August, when Google shocked the Android world by unilaterally announcing5 that all developers would be required to register with Google in order to continue distributing their apps on Android Certified devices, even outside of Google Play.

This move fundamentally alters long-standing assumptions about sideloading and independent distribution on Android, and it prompted a series of posts in opposition, published through the F-Droid Blog. In September we posted “Free App Stores and Google’s Developer Registration Decree” and in October we published “What We Talk About When We Talk About Sideloading”, which resulted in an extraordinary amount of press coverage6 and increased awareness of the issue. I was interviewed by a variety or tech publications as well as the popular Techlore channel7.

In parallel, we launched keepandroidopen.org as a focused resource to document the implications of this policy shift, coordinate advocacy, and provide calls to action to resist the lockdown of Android.

Looking Ahead to 2026

Section titled “Looking Ahead to 2026”

As we turn toward 2026, there is no shortage of work ahead. I’ll be attending FOSDEM 2026 alongside members of the F-Droid team and board, and presenting on the main track: “Fear and Loathing in the App Stores: when FLOSS principles collide with the Gatekeeper interests.”8

The project will continue ongoing advocacy in support of strong DMA enforcement and continued opposition to Google’s Android Developer Registration Decree and similar efforts that undermine independent app distribution. We will also continue to forcefully oppose Apple’s “notarization” requirement for its third-party app marketplaces in the EU and Japan (as well as Brazil in the near future).

A founding principle of the App Fair Project is that you have the right to install whatever software you want on your computer, regardless of whether it is on your desk or in your pocket. Apple’s “notarization” and Google’s “developer registration” are two sides of the same coin: a ploy by the mobile duopoly to strengthen their gatekeeping and control what you are allowed to do with the devices that you own.

We’re also preparing the full opening of the App Fair submission process and launch of the appfair.net index, cataloging apps distributed through the App Fair Project and making them easier for users to discover. The technical pieces are mostly in place and we’ve been publishing a handful of sample apps throughout the year in an effort to make the pipeline stable and robust.

Closing Thoughts

Section titled “Closing Thoughts”

2025 reaffirmed that the fight for fair, open, and user-respecting app ecosystems is far from over, but it also showed that sustained advocacy, technical clarity, and community collaboration can make a real difference. I’m deeply grateful to everyone who supported the App Fair Project this year.

Here’s to carrying that momentum forward into 2026!

Footnotes

Section titled “Footnotes”

  1. Software Freedom Podcast #30: The App Fair Project with Marc Prud’hommeaux: https://fsfe.org/news/podcast/2025/episode-30.en.html

  2. Free Software Foundation 40th Anniversary Celebration: https://www.fsf.org/events/fsf40-celebration

  3. ARTICLE 19 DMA Report (PDF): https://www.article19.org/wp-content/uploads/2025/11/DMA-DIGITAL-FINAL-2025.pdf

  4. Tech Policy Press: “What Europe’s Digital Markets Act Has Delivered So Far and What Comes Next”: https://www.techpolicy.press/what-europes-digital-markets-act-has-delivered-so-far-and-what-comes-next/

  5. Android Developers Blog: “A new layer of security for certified Android devices,” 25 August 2025: https://android-developers.googleblog.com/2025/08/elevating-android-security.html

  6. Press reactions: https://keepandroidopen.org/#press-reactions

  7. The Fight for Android’s Open Ecosystem: https://www.youtube.com/watch?v=ZnYSwX45ODA

  8. FOSDEM 2026 Schedule: https://fosdem.org/2026/schedule/event/TYZH97-fear-loathing-app-stores/

What We Talk About When We Talk About Sideloading

- 6 min read - 1197 words

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/10/28/sideloading.html. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies.

In this post, I hope to clarify and expand on some of the points and rebut some of the counter-messaging that we have witnessed.

Google’s message that “Sideloading is Not Going Away” is clear, concise, and false

Section titled “Google’s message that “Sideloading is Not Going Away” is clear, concise, and false”

Shortly after our post was published, Google aired an episode of their Android Developers Roundtable series, where they state unequivocally that “sideloading isn’t going anywhere”. They follow-up with a blog post:

Does this mean sideloading is going away on Android? Absolutely not. Sideloading is fundamental to Android and it is not going away.

This statement is untrue. The developer verification decree effectively ends the ability for individuals to choose what software they run on the devices they own.

It bears reminding that “sideload” is a made-up term. Putting software on your computer is simply called “installing”, regardless of whether that computer is in your pocket or on your desk. This could perhaps be further precised as “direct installing”, in case you need to make a distinction between obtaining software the old-fashioned way versus going through a rent-seeking intermediary marketplace like the Google Play Store or the Apple App Store.

Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that “sideloading” is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia’s summary definition is:

the transfer of apps from web sources that are not vendor-approved

By this definition, Google’s statement that “sideloading is not going away” is simply false. The vendor — Google, in the case of Android certified devices — will, in point of fact, be approving the source. The supplicant app developer must register with Google, pay a fee, provide government identification, agree to non-negotiable (and ever-changing) terms and conditions, enumerate all their current and future application identifiers, upload evidence of their private signing key, and then hope and wait for Google’s approval.

What this means for your rights

Section titled “What this means for your rights”

You, the consumer, purchased your Android device believing in Google’s promise that it was an open computing platform and that you could run whatever software you choose on it. Instead, starting next year, they will be non-consensually pushing an update to your operating system that irrevocably blocks this right and leaves you at the mercy of their judgement over what software you are permitted to trust.

You, the creator, can no longer develop an app and share it directly with your friends, family, and community without first seeking Google’s approval. The promise of Android — and a marketing advantage it has used to distinguish itself against the iPhone — has always been that it is “open”. But Google clearly feels that they have enough of a lock on the Android ecosystem, along with sufficient regulatory capture, that they can now jettison this principle with prejudice and impunity.

You, the state, are ceding the rights of your citizens and your own digital sovereignty to a company with a track record of complying with the extrajudicial demands of authoritarian regimes to remove perfectly legal apps that they happen to dislike. The software that is critical to the running of your businesses and governments will be at the mercy of the opaque whims of a distant and unaccountable corporation. Monocultures are perilous not just in agriculture, but in software distribution as well.

As a reminder, this applies not just to devices that exclusively use the Google Play Store: this is for every Android Certified device everywhere in the world, which encompasses over 95% of all Android devices outside of China. Regardless of whether the device owner prefers to use a competing app store like the Samsung Galaxy Store or the Epic Games Store, or a free and open-source app repository like F-Droid, they will be captive to the overarching policies unilaterally dictated by a competing corporate entity.

The place of greater safety

Section titled “The place of greater safety”

In promoting their developer registration program, Google purports:

Our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.

We haven’t seen this recent analysis — or any other supporting evidence — but the “50 times” multiple does certainly sound like great cause for distress (even if it is a surprisingly round number). But given the recent news of “224 malicious apps removed from the Google Play Store after ad fraud campaign discovered”, we are left to wonder whether their energies might better be spent assessing and improving their own safeguards rather than casting vague disparagements against the software development communities that thrive outside their walled garden.

In addition, other recent news of over 19 million downloads of malware from the Play Store leads us to question whether the sole judgement of a single corporate entity can be trusted to identify and assess malware, especially when that judgement is clouded by commercial incentives that may not align with the well-being of their users.

What can be done?

Section titled “What can be done?”

Google has been facing public outcry against their heavy-handed policies for a long time, but this trend has accelerated recently. Last year they crippled ad-blockers in Chrome and Chromium-based browsers by forcing through their unpopular “manifest v3” requirement for plugins, and earlier this year they closed off the development of the Android Open Source Project (AOSP), which is how they were able to clandestinely implement the verification infrastructure that enforces their developer registration decree.

Developer verification is an existential threat to free software distribution platforms like F-Droid as well as emergent commercial competitors to the Play Store. We are witnessing a groundswell of opposition to this attempt from both our user and developer communities, as well as the tech press and civil society groups, but public policymakers still need to be educated about the threat.

To learn more about what you can do as a consumer, visit keepandroidopen.org for information on how to contact your representative agencies and advocate for keeping the Android ecosystem open for consumers and competition.

If you are an app developer, we recommend against signing yourself up for Google’s developer registration program at this time. We unequivocally reject their attempt to force this program upon the world.

Over half of all humankind uses an Android smartphone. Google does not own your phone. You own your phone. You have the right to decide who to trust, and where you can get your software from.

Panel opening statement for the FSF40 Celebration

- 4 min read - 582 words

I was honored to be invited as a panelist at the FSF 40-year celebration event in Boston this weekend. Along with Paige Collings, senior speech and privacy activist from the EFF, Devin Ulibarri, the executive director of Sugar Labs, and Greg Farough, the FSF’s campaigns manager, we spent an hour discussing issues around software freedom and privacy, and answered a variety of interesting questions from the audience.

FSF40 panel

Once they post video and transcription, I will reproduce it here, but until then I’ll convey my notes in response to the opening question:

How has the freedom of users of mobile phones changed since the beginning of the F-Droid, in 2010?

In 2010, there were about 25 million active Android devices around the world. In 2025, it has grown to over 3 billion. Given that Android is built on free software — insofar as it runs atop the GPL-licensed Linux kernel — this can be viewed as a phenomenal expansion of free software adoption. The fact that nearly half of humanity is walking around today with a free-software-powered smartphone in their pocket is a testament to the power of the ideas that started right here, 40 years ago, with the Free Software Foundation.

Also since 2010, the F-Droid Project has grown from a small personal hobby project with a handful of apps, into a repository of thousands of free and open-source applications. F-Droid and the App Fair are the app stores you can trust, because all the apps are reviewed to keep out closed and proprietary software dependencies and flag any marginal “anti-features”, so the user is always in control of the software they are running on their device. It is truly the free software Garden of Eden.

And with free software applications running on top of a free kernel, what’s not to love about the current state of the world? We live in a magical time, right?

So also since 2010, the mobile phone ecosystem has contracted from a slew of competing systems — Blackberry, Symbian, Palm OS, Firefox OS, Ubuntu Touch, etc. — down to just two: Android and iPhone, with Android currently holding around 70% global market share. And with the entrenchment of this global smartphone duopoly has arisen increasingly extractive behavior from the corporations that control their ecosystems.

This year, 2025, has been especially dark. In March, the “Android Open Source Project” closed off its development from the public, switching to delayed and periodic snapshot source releases. This has been very difficult for projects like GrapheneOS which are based on AOSP.

And last month, the other shoe dropped: Google announced that starting next year, they would be blocking all app installations on Android certified devices from any developer who has not registered with the Google Developer Program, which requires the scanning of government identity documents, the payment of a fee, and the agreement to Google’s non-negotiable and ever-changing terms and conditions. Developers of Android apps around the world — regardless of whether they distribute through F-Droid, some other commercial app store, or simply by uploading an apk to their web site — will be cut off from their users forever unless they comply. If this goes into effect, it is an extinction event for F-Droid.

And so to answer the original question, “how has the freedom of users of mobile phones changed since in 2010”, I’ll summarize by saying: it went up, and then it went down. And that’s where we are today.

FSF40 panelists