developer

3 posts with the tag “developer”

What We Talk About When We Talk About Sideloading

2025/10/28 - 6 min read - 1197 words

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/10/28/sideloading.html ↗. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies.

In this post, I hope to clarify and expand on some of the points and rebut some of the counter-messaging that we have witnessed.

Google’s message that “Sideloading is Not Going Away” is clear, concise, and false

Shortly after our post was published, Google aired an episode ↗ of their Android Developers Roundtable series, where they state unequivocally that “sideloading isn’t going anywhere”. They follow-up with a blog post ↗:

Does this mean sideloading is going away on Android? Absolutely not. Sideloading is fundamental to Android and it is not going away.

This statement is untrue. The developer verification decree effectively ends the ability for individuals to choose what software they run on the devices they own.

It bears reminding that “sideload” is a made-up term. Putting software on your computer is simply called “installing”, regardless of whether that computer is in your pocket or on your desk. This could perhaps be further precised as “direct installing”, in case you need to make a distinction between obtaining software the old-fashioned way versus going through a rent-seeking intermediary marketplace like the Google Play Store or the Apple App Store.

Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that “sideloading” is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia’s summary definition ↗ is:

the transfer of apps from web sources that are not vendor-approved

By this definition, Google’s statement that “sideloading is not going away” is simply false. The vendor — Google, in the case of Android certified devices — will, in point of fact, be approving the source. The supplicant app developer must register with Google, pay a fee, provide government identification, agree to non-negotiable (and ever-changing) terms and conditions, enumerate all their current and future application identifiers, upload evidence of their private signing key, and then hope and wait for Google’s approval.

What this means for your rights

You, the consumer, purchased your Android device believing in Google’s promise that it was an open computing platform and that you could run whatever software you choose on it. Instead, starting next year, they will be non-consensually pushing an update to your operating system that irrevocably blocks this right and leaves you at the mercy of their judgement over what software you are permitted to trust.

You, the creator, can no longer develop an app and share it directly with your friends, family, and community without first seeking Google’s approval. The promise of Android — and a marketing advantage it has used to distinguish itself against the iPhone — has always been that it is “open”. But Google clearly feels that they have enough of a lock on the Android ecosystem, along with sufficient regulatory capture, that they can now jettison this principle with prejudice and impunity.

You, the state, are ceding the rights of your citizens and your own digital sovereignty to a company with a track record of complying with the extrajudicial demands of authoritarian regimes to remove perfectly legal apps that they happen to dislike. The software that is critical to the running of your businesses and governments will be at the mercy of the opaque whims of a distant and unaccountable corporation. Monocultures are perilous not just in agriculture, but in software distribution as well.

As a reminder, this applies not just to devices that exclusively use the Google Play Store: this is for every Android Certified device everywhere in the world, which encompasses over 95% of all Android devices outside of China. Regardless of whether the device owner prefers to use a competing app store like the Samsung Galaxy Store or the Epic Games Store, or a free and open-source app repository like F-Droid, they will be captive to the overarching policies unilaterally dictated by a competing corporate entity.

The place of greater safety

In promoting their developer registration program, Google purports ↗:

Our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.

We haven’t seen this recent analysis — or any other supporting evidence — but the “50 times” multiple does certainly sound like great cause for distress (even if it is a surprisingly round number). But given the recent news ↗ of “224 malicious apps removed from the Google Play Store after ad fraud campaign discovered”, we are left to wonder whether their energies might better be spent assessing and improving their own safeguards rather than casting vague disparagements against the software development communities that thrive outside their walled garden.

In addition, other recent news ↗ of over 19 million downloads of malware from the Play Store leads us to question whether the sole judgement of a single corporate entity can be trusted to identify and assess malware, especially when that judgement is clouded by commercial incentives that may not align with the well-being of their users.

What can be done?

Google has been facing public outcry against their heavy-handed policies for a long time, but this trend has accelerated recently. Last year they crippled ad-blockers ↗ in Chrome and Chromium-based browsers by forcing through their unpopular “manifest v3” requirement for plugins, and earlier this year they closed off ↗ the development of the Android Open Source Project (AOSP), which is how they were able to clandestinely implement the verification infrastructure that enforces their developer registration decree.

Developer verification is an existential threat to free software distribution platforms like F-Droid as well as emergent commercial competitors to the Play Store. We are witnessing a groundswell of opposition to this attempt from both our user and developer communities, as well as the tech press and civil society groups, but public policymakers still need to be educated about the threat.

To learn more about what you can do as a consumer, visit keepandroidopen.org ↗ for information on how to contact your representative agencies and advocate for keeping the Android ecosystem open for consumers and competition.

If you are an app developer, we recommend against signing yourself up for Google’s developer registration program at this time. We unequivocally reject their attempt to force this program upon the world.

Over half of all humankind uses an Android smartphone. Google does not own your phone. You own your phone. You have the right to decide who to trust, and where you can get your software from.

Panel opening statement for the FSF40 Celebration

2025/10/06 - 4 min read - 582 words

I was honored to be invited as a panelist ↗ at the FSF 40-year celebration event in Boston this weekend. Along with Paige Collings, senior speech and privacy activist from the EFF, Devin Ulibarri, the executive director of Sugar Labs, and Greg Farough, the FSF’s campaigns manager, we spent an hour discussing issues around software freedom and privacy, and answered a variety of interesting questions from the audience.

Once they post video and transcription, I will reproduce it here, but until then I’ll convey my notes in response to the opening question:

How has the freedom of users of mobile phones changed since the beginning of the F-Droid, in 2010?

In 2010, there were about 25 million active Android devices around the world. In 2025, it has grown to over 3 billion. Given that Android is built on free software — insofar as it runs atop the GPL-licensed Linux kernel — this can be viewed as a phenomenal expansion of free software adoption. The fact that nearly half of humanity is walking around today with a free-software-powered smartphone in their pocket is a testament to the power of the ideas that started right here, 40 years ago, with the Free Software Foundation.

Also since 2010, the F-Droid Project has grown from a small personal hobby project with a handful of apps, into a repository of thousands of free and open-source applications. F-Droid and the App Fair are the app stores you can trust, because all the apps are reviewed to keep out closed and proprietary software dependencies and flag any marginal “anti-features”, so the user is always in control of the software they are running on their device. It is truly the free software Garden of Eden.

And with free software applications running on top of a free kernel, what’s not to love about the current state of the world? We live in a magical time, right?

So also since 2010, the mobile phone ecosystem has contracted from a slew of competing systems — Blackberry, Symbian, Palm OS, Firefox OS, Ubuntu Touch, etc. — down to just two: Android and iPhone, with Android currently holding around 70% global market share. And with the entrenchment of this global smartphone duopoly has arisen increasingly extractive behavior from the corporations that control their ecosystems.

This year, 2025, has been especially dark. In March, the “Android Open Source Project” closed off its development from the public, switching to delayed and periodic snapshot source releases. This has been very difficult for projects like GrapheneOS which are based on AOSP.

And last month, the other shoe dropped: Google announced that starting next year, they would be blocking all app installations on Android certified devices from any developer who has not registered with the Google Developer Program, which requires the scanning of government identity documents, the payment of a fee, and the agreement to Google’s non-negotiable and ever-changing terms and conditions. Developers of Android apps around the world — regardless of whether they distribute through F-Droid, some other commercial app store, or simply by uploading an apk to their web site — will be cut off from their users forever unless they comply. If this goes into effect, it is an extinction event for F-Droid.

And so to answer the original question, “how has the freedom of users of mobile phones changed since in 2010”, I’ll summarize by saying: it went up, and then it went down. And that’s where we are today.

Free App Stores and Google's Developer Registration Decree

2025/09/29 - 6 min read - 1147 words

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/09/29/google-developer-registration-decree.html ↗. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

For the past 15 years ↗, F-Droid has provided a safe and secure haven for Android users around the world to find and install free and open source apps. When contrasted with the commercial app stores — of which the Google Play store is the most prominent — the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns ↗.

F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors. The way F-Droid works is simple: when a developer creates an app and hosts the source code publicly somewhere, the F-Droid team reviews it, inspecting it to ensure that it is completely open source and contains no undocumented anti-features ↗ such as advertisements or trackers. Once it passes inspection, the F-Droid build service compiles and packages the app to make it ready for distribution. The package is then signed either with F-Droid’s cryptographic key, or, if the build is reproducible ↗, enables distribution using the original developer’s private key. In this way, users can trust that any app distributed through F-Droid is the one that was built from the specified source code and has not been tampered with.

Do you want a weather app that doesn’t transmit your every movement ↗ to a shadowy data broker? Or a scheduling assistant that doesn’t siphon your intimate details ↗ into an advertisement network? F-Droid has your back. Just as sunlight is the best disinfectant against corruption, open source is the best defense against software acting against the interests of the user.

Google’s move to break free app distribution

The future of this elegant and proven system was put in jeopardy last month, when Google unilaterally decreed ↗ that Android developers everywhere in the world are going to be required to register centrally with Google. In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents ↗, including government ID, by the authors of the software, as well as enumerating ↗ all the unique “application identifiers” for every app that is to be distributed by the registered developer.

The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users will be left adrift, with no means to install — or even update their existing installed — applications. (How many F-Droid users are there, exactly? We don’t know, because we don’t track users or have any registration: “No user accounts, by design” ↗)

The Security Canard

While directly installing — or “sideloading” — software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution. Google Play itself has repeatedly ↗ hosted ↗ malware, proving that corporate gatekeeping doesn’t guarantee user protection. By contrast, F-Droid offers a trustworthy and transparent alternative approach to security: every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose. Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.

Furthermore, Google’s framing that they need to mandate developer registration in order to defend against malware is disingenuous because they already have a remediation mechanism for malware they identify on a device: the Play Protect service ↗ that is enabled on all Android Certified devices already scans and disables apps that have been identified as malware, regardless of their provenience. Any perceived risks associated with direct app installation can be mitigated through user education, open-source transparency, and existing security measures without imposing exclusionary registration requirements.

We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem.

The Right to Run

If you own a computer, you should have the right to run whatever programs you want on it. This is just as true with the apps on your Android/iPhone mobile device as it is with the applications on your Linux/Mac/Windows desktop or server. Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works. It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.

By tying application identifiers to personal ID checks and fees, Google is building a choke point that restricts competition and limits user freedom. It must find a solution which preserves user rights, freedom of choice, and a healthy, competitive ecosystem.

What do we propose?

Regulatory and competition authorities should look carefully at Google’s proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control. We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.

If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament ↗, Congressperson ↗ or other representative, sign petitions in defense of sideloading and software freedom, and contact ↗ the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters. By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping.