コンテンツにスキップ
The App Fair Project
ドキュメント ブログ アプリ

google

4 posts with the tag “google”

A Gatekeeper's Paradise: the App Fair response to the first review of the Digital Markets Act

- 22 min read - 4490 words

The European Commission has published its first review of the Digital Markets Act1, the landmark regulation that was supposed to break the stranglehold of Big Tech gatekeepers on app distribution. The accompanying Staff Working Document2 provides a detailed assessment of compliance across all designated gatekeepers. Despite the conclusion of the review being that the DMA “remains fit for purpose and has positive impact”3, after two years of enforcement proceedings, preliminary findings, and hundreds of millions of euros in fines, the bleak reality is that Apple remains the sole gatekeeper for every app installed on every iPhone in the world, and Google, emboldened by Apple’s consequence-free defiance, has now begun locking down Android.

Article 6(4)4 of the Digital Markets Act is Europe’s attempt to pry open the app distribution monopolies. As we argued in our FOSDEM 2026 talk, “Fear and Loathing in the App Stores,”5 the gatekeepers have every incentive to resist and sabotage this process, and the enforcement mechanisms have thus far proven inadequate to overcome their resistance. The DMA review itself confirms it: the gatekeepers are winning. (For a detailed synthesis of the ~450 stakeholder submissions to the Commission’s review consultation, see our summary and analysis of the DMA first review consultation.)

I. Article 6(4): What the DMA Was Supposed to Require

Section titled “I. Article 6(4): What the DMA Was Supposed to Require”

Article 6(4) of the Digital Markets Act mandates that designated gatekeepers:

“allow and technically enable the installation and effective use of third-party apps or app stores using, or interoperating with, their operating systems, and allow those apps or app stores to be accessed by means other than the gatekeepers’ relevant core platform services.”4

The intent is plain and unambiguous: users should be free to install apps from wherever they choose (alternative app stores, the web, or directly from developers) without being forced to submit to the gatekeeper’s procedures, accept their non-negotiable terms and conditions, and be subjected to their junk fees. Gatekeepers may implement security measures, but only to the extent that they are “strictly necessary and proportionate.”6

What Actually Happened: Apple’s Malicious Compliance

Section titled “What Actually Happened: Apple’s Malicious Compliance”

Before the DMA took effect, Apple’s App Store was the sole channel for distributing native apps on iOS and iPadOS.7 Article 6(4) was supposed to end this monopoly. But what Apple delivered instead is a masterclass in delay, obfuscation, malicious non-compliance, and outright defiance. Here is a condensed timeline of events:

January 25, 2024: Apple announces its DMA compliance plan.8 The centerpiece: a new “Core Technology Fee” (CTF) of EUR 0.50 per “first annual install” above one million downloads, applicable to all apps distributed outside the App Store. Their message to developers was: leave the App Store, and we will charge you for every user. Apple also introduces a “Notarization” process, a mandatory review of every app, regardless of distribution channel, through Apple’s own servers, and imposes eligibility requirements so onerous that most developers and aspiring marketplace operators cannot meet them.9

March 7, 2024: The DMA’s compliance deadline arrives. iOS 17.4 ships with the changes. In theory, alternative app marketplaces can now operate on iOS. In practice, marketplace operators must either post a EUR 1,000,000 standby letter of credit from an A-rated financial institution, or have been an Apple Developer Program member for two continuous years and have an app with over one million EU installs in the prior year.10 Nonprofit and open-source projects (including the App Fair Project), the very organizations that should benefit most from open distribution, are effectively locked out by these steep requirements. And their fallback option presents a comically Kafkaesque scenario: to be free of the gatekeeper requirements, you must first subject yourself to them.

March 18, 2024: The Commission hosts a DMA Compliance Workshop for Apple. Attendees (including this author) report an atmosphere of frustration and hostility.11 Apple’s representatives fend off questions by repeatedly invoking “user security, privacy and safety” while offering no technical substance.

March 19, 2024: The Coalition for App Fairness12 issues a statement describing Apple’s compliance plan as a “continued refusal to comply with the Digital Markets Act.”13

June 24, 2024: The Commission opens a formal non-compliance investigation into Apple’s Article 6(4) compliance, examining the business terms, fees, the “multi-step user journey for installing app stores and apps from the web,” and the eligibility requirements imposed on developers.14

April 23, 2025: The Commission finds Apple in breach of the DMA’s anti-steering provisions under Article 5(4) and imposes a EUR 500 million fine.15 On the same day, it issues preliminary findings of non-compliance on Article 6(4), the alternative distribution obligation.16 Apple appeals the fine.17

June 26, 2025: In response to the fine, Apple announces revised EU business terms, replacing the CTF with a “Core Technology Commission” (CTC), a 5% levy on all sales of digital goods and services.18 Developers report that the new system involves three separate fees for certain downloads.19

January 1, 2026: Apple moves all EU developers to a unified business model based on the CTC.20 The per-install CTF is nominally eliminated, but the new commission structure ensures Apple continues to extract rents from every transaction, regardless of distribution channel.

January 2026: At the Commission’s DMA Compliance Workshop, the Coalition for App Fairness12 reports that Apple’s representatives “dodged questions” and demonstrated that they “have no intent to comply with the law.”21

The Fundamental Problem: Apple Is Still the Sole Gatekeeper

Section titled “The Fundamental Problem: Apple Is Still the Sole Gatekeeper”

Through all of these iterations (CTF, CTC, Notarization, eligibility requirements), one fact has remained constant: Apple remains the sole, mandatory intermediary for every app distributed to every iPhone in the world. Every developer, whether distributing through the App Store, an alternative marketplace, or the web, must:

  1. Enroll in the Apple Developer Program, paying Apple’s annual fee and agreeing to Apple’s non-negotiable terms and conditions.
  2. Submit every app to Apple through App Store Connect for “Notarization,” Apple’s euphemism for what is, in substance, the same gatekeeper review process that existed before the DMA, just with slightly loosened restrictions.10
  3. Accept Apple’s unilateral right to reject, revoke, or delist any app at any time, for any reason Apple deems appropriate.

As the Free Software Foundation Europe has meticulously documented, Apple’s Notarization process “represents the very gatekeeping behaviour the DMA was written to prevent.”10 The process requires all apps to be “submitted to Apple’s servers for scanning, approval, and cryptographic re-signing before installation.” Developers of alternative app stores have “no control over the apps they can distribute in their store, as Apple still holds gatekeeping power through notarisation.”

This is not compliance: it is the opposite of compliance. The DMA requires that app distribution be possible without gatekeeper intermediation. Apple has ensured that gatekeeper intermediation remains mandatory, total, and inescapable, and then relabelled it “Notarization” in place of “App Review.”

II. Google’s Android Lockdown: Emboldened by Apple’s Impunity

Section titled “II. Google’s Android Lockdown: Emboldened by Apple’s Impunity”

Regardless of whether the Commission’s tepid response to Apple’s defiance has been due to intentional permissiveness or political pressure, its consequences are now becoming starkly clear. Google has watched Apple scoff at the Digital Markets Act with impunity for two years, being subject to only minuscule fines relative to their revenues, and emerge with its iron-fisted monopoly on app distribution fully intact. And Google has drawn the obvious conclusion: if Apple can get away with it, so can we.

The Android Developer Verification Program

Section titled “The Android Developer Verification Program”

In September 2025, Google quietly introduced its “Developer Verification” policy22, and in March 2026, the program was rolled out to all developers worldwide.23 The program establishes, for the first time in Android’s history, Google as the central gatekeeper for the distribution of all apps on Android Certified Devices, encompassing over 95% of Android devices globally.24

Here is what the program requires:

  • Every developer who wishes to distribute an app on a certified Android device, whether through the Play Store, an alternative app store like F-Droid, or by direct download, must register with Google through either the Play Console or the new Android Developer Console.23
  • Registration requires submitting government-issued identification, paying fees, and accepting Google’s non-negotiable terms and conditions.24
  • Every app must be “registered,” that is, associated with a verified developer identity in Google’s database.23
  • Beginning in September 2026, unregistered apps will be blocked from installation on certified Android devices unless the user navigates an “advanced flow” that includes a 24-hour waiting period and a device reboot.25 This will start being enforced in a select group of vulnerable countries, followed by rolling enforcement worldwide in 2027.23

Google has framed this as a security measure, claiming to have found “90 times more malware” in apps installed outside the Play Store.23 But the program’s scope reveals its true purpose: it applies universally, to all apps from all sources, including legitimate app stores that have their own robust security review processes. F-Droid, which has maintained an exemplary security record through transparent verification pipelines, reproducible builds, and community audits for over a decade, is treated identically to a malware distribution network.

The Keep Android Open Movement

Section titled “The Keep Android Open Movement”

On February 24, 2026, a coalition of 37 organizations (now over 60) from over 20 countries around the world, including the Electronic Frontier Foundation, the Free Software Foundation Europe, the Software Freedom Conservancy, F-Droid, Vivaldi, Fastmail, and Article 19, published an open letter opposing the program. The letter contests Google’s reassurances that “sideloading is not going away”, responding that “direct and unintermediated installation of software of your choosing on the device that you own, is indeed going away if they follow through.”24

The EFF’s Corynne McSherry has warned that the program “creates a comprehensive database of developer identities worldwide,” making this information vulnerable to government subpoenas and warrants, and placing at particular risk “VPN developers in jurisdictions where privacy tools invite legal scrutiny, journalists and activists building documentation software, and researchers who publish under pseudonyms.”26

Moral Hazard

Section titled “Moral Hazard”

Apple openly defied the DMA, and has gotten away with it (so far). The Commission responded with proceedings that have dragged on for two years without a final resolution on Article 6(4). Apple was fined EUR 500 million (an amount it earns in approximately six hours27) and promptly appealed. And through it all, Apple’s Notarization process has ensured that Apple remains the sole gatekeeper for every app on every iPhone.

Google watched all of this, and decided to follow suit.

This is the very definition of “moral hazard”: when the consequences of defiance are negligible, defiance becomes rational. The Commission’s failure to enforce Article 6(4) with sufficient speed and severity has not merely allowed Apple to maintain its monopoly: it has created a new one. The Android ecosystem, which was the one remaining platform where true alternative distribution was possible, where F-Droid and the App Fair Project could operate freely and developers could distribute apps without any gatekeeper’s permission, is now being locked down. The consequence of the Commission’s restraint is not one closed ecosystem, but two.

Security Theater

Section titled “Security Theater”

Both Apple and Google have invoked the same escape hatch to justify their gatekeeping: the DMA’s allowance for measures that are “strictly necessary and proportionate” to protect “the integrity of the hardware or operating system.”6 Apple claims that Notarization is essential for platform security. Google claims that Developer Verification is needed to combat malware. In both cases, these security claims are asserted but never demonstrated.

Apple has never published independent evidence that its Notarization process catches threats that would not be caught by alternative security mechanisms (such as the decentralized curation model employed by F-Droid, which relies on reproducible builds, open-source auditing, and community review). Google’s claim that sideloaded apps contain “90 times more malware” than Play Store apps23 conflates the source of an app with the mechanism of installation. The relevant question is not whether unscreened APKs downloaded from random websites contain more malware than Play Store apps: it is whether apps distributed through legitimate alternative channels with their own review processes (F-Droid, the Samsung Galaxy Store, or direct distribution by established developers) pose a meaningfully different security risk. Neither Apple nor Google has provided evidence that they do.

The “strictly necessary and proportionate” standard is supposed to be a narrow exception, not a blanket authorization. But in practice, it has become an unfalsifiable get-out-of-jail-free card. The gatekeepers claim it is to fight “malware” while studiously avoiding defining the term, leaving it to mean whatever they want it to mean, and leaving them to change the definition and move the goalposts whenever they choose.

The gatekeepers assert that their measures are necessary for security, and because no independent body has the authority to scrutinize those claims, the assertion stands unchallenged. There is no adversarial process, no independent technical review, and no mechanism for developers or alternative distributors to contest the gatekeeper’s security rationale.

This problem extends well beyond app distribution. Apple has invoked the same security justification to resist its interoperability obligations under Article 6(7),28 and Google could easily do the same. If “security” is an unchallengeable trump card, then every DMA obligation can be circumvented simply by asserting that compliance would create a security risk.

III. The Path Forward: Total Disintermediation

Section titled “III. The Path Forward: Total Disintermediation”

The DMA’s Article 6(4) contains the right principle. The problem is not the law. The problem is that the law has been allowed to be interpreted in a way that permits “compliance” measures that are functionally indistinguishable from the gatekeeping behavior they were supposed to eliminate.

The simple solution is to adhere to a single fundamental principle: app distribution must be possible with no gatekeeper intermediation whatsoever.

What “No Gatekeeper Intermediation” Means

Section titled “What “No Gatekeeper Intermediation” Means”

  1. No mandatory registration with the gatekeeper. A developer should not be required to enroll in any program operated by the platform vendor, pay any fee to the platform vendor, or agree to any terms and conditions imposed by the platform vendor, as a precondition for distributing software to users of that platform. This applies equally to Apple’s Developer Program and Google’s Developer Verification.

  2. No mandatory review or approval by the gatekeeper. The platform vendor should have no right to review, approve, reject, or revoke any app distributed outside its own app store. Apple’s “Notarization” and Google’s “Verification” are euphemisms for the same thing: a gatekeeper veto over all software distribution. This veto must end.

  3. No technical barriers to direct installation. Users should be able to install software (what is often misleadingly termed as “sideloading”29) by the same mechanism they install any other file: by downloading it and opening it. On every desktop and laptop operating system, installing software from arbitrary sources is the default. It should be the default on mobile platforms as well. Your computer is your computer, regardless of whether it is in your pocket or on your desk.

  4. Alternative app stores must be able to operate independently. Free and open-source app stores like the App Fair Project and F-Droid, as well as commercial marketplaces like the Samsung Galaxy Store and Epic Games Store alike, must be able to distribute apps without any dependency on the platform vendor’s infrastructure, approval processes, or fee structures. The App Fair Project’s own experience demonstrates how far we remain from this ideal: Apple’s eligibility requirements, requiring either a million-euro letter of credit or a million prior downloads within the EU, are designed to ensure that only large, well-capitalized corporations can operate alternative marketplaces.11

What the Commission Must Do

Section titled “What the Commission Must Do”

  1. The non-compliance investigation into Apple’s Article 6(4) compliance has been open since June 2024, nearly two years.14 It is time for a final decision, and that decision must establish the principle of total disintermediation: that no developer should be required to interact with, pay, or submit to the gatekeeper in order to distribute software to users of that platform.

  2. The Commission must also act preemptively on Google’s Android Developer Verification program. MEP Schaldemose’s question30 deserves an answer: mandatory developer registration for all apps, including those distributed outside the Play Store, is plainly incompatible with Article 6(4). The Commission should not wait until September 2026 to begin proceedings. It should act now.

  3. The Commission should establish an independent review mechanism for gatekeepers’ security claims, with the burden of proof squarely on the gatekeeper to demonstrate that their measures are, in fact, strictly necessary and proportionate. Without such a mechanism, the security exception will continue to be used as an easy tool to avoid compliance and sabotage the principles of the DMA.

  4. Finally, the Commission should consider whether its enforcement tools are adequate. A EUR 500 million fine against a company with annual revenues exceeding EUR 350 billion27 is not a deterrent: it is a licensing fee. If gatekeepers can pay fines and maintain their monopolies, fines are not working. The Commission has the power under the DMA to impose structural remedies.31 It is time to consider using them.

Conclusion

Section titled “Conclusion”

The DMA was enacted to ensure that digital markets are “fair and contestable.”4 Two years into enforcement, Apple has turned “Notarization” into “App Review” with a different name, and Google has decided that if Apple can be the sole gatekeeper for iOS, then Google can be the sole gatekeeper for Android too.

The Commission’s first review of the DMA acknowledges that alternative app stores “have already emerged and are continuously expanding their range.”1 This is true, but it obscures the fundamental reality: every one of those alternative stores operates at the pleasure of Apple, subject to Apple’s fees, Apple’s review process, and Apple’s unilateral right to shut them down. That is not an open market: it is a managed concession.

The clock is ticking: Google’s Android Developer Verification enforcement begins in September. If the Commission does not act decisively, not just against Apple’s two-year-old non-compliance, but against Google’s impending lockdown, then the DMA will have achieved the very opposite of its purpose. Instead of opening the app distribution market to fair competition, it will have presided over the closing of the last open platform.

Is it our fate that all mobile software be forever gated by the whims of two opaque and unaccountable profit-seeking corporations? If that future is to change, then change needs to start here and now, before these gatekeepers become inextricably entrenched. The European Commission and the Digital Markets Act team should consider their place in history and do the right thing for both their own businesses and consumers, as well as for the other nations throughout the world whose regulatory bodies are taking their their cues from the “Brussels Effect”.

The App Fair Project is a nonprofit organization building free and open-source app marketplace infrastructure. Learn more at appfair.org.

Footnotes

Section titled “Footnotes”

  1. European Commission, “Report from the Commission to the European Parliament, the Council, and the European Economic and Social Committee on the first review of the Digital Markets Act,” COM(2026) 178 final, published April 2026. https://digital-markets-act.ec.europa.eu/consultation-first-review-digital-markets-act_en 2

  2. European Commission, “Commission Staff Working Document accompanying the Report on the first review of the Digital Markets Act,” SWD(2026) 123 final, published April 2026. https://commission.europa.eu/publications/working-documents-2026_en

  3. “Review highlights Digital Markets Act remains fit for purpose and has positive impact”, press release published April 27, 2026 https://ec.europa.eu/commission/presscorner/detail/en/ip_26_914

  4. Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector (Digital Markets Act), Article 6(4). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925 2 3

  5. App Fair Project, “Fear and Loathing in the App Stores,” FOSDEM 2026 main track talk, Brussels, February 1, 2026. Examines how Apple and Google maintain their app distribution monopolies despite regulatory intervention. https://appfair.org/blog/fear-and-loathing-in-the-app-stores/

  6. SWD(2026) 123 final, p. 20. The document specifies that gatekeepers “are free to implement measures to protect security and integrity and ensure compliance with other laws to the extent that these measures are strictly necessary and proportionate.” https://commission.europa.eu/publications/working-documents-2026_en 2

  7. SWD(2026) 123 final, p. 20. “Before the DMA, Apple’s App Store was the only app store on iOS and iPadOS from which native apps could be downloaded.” https://commission.europa.eu/publications/working-documents-2026_en

  8. Apple Inc., “Apple announces changes to iOS, Safari, and the App Store in the European Union,” Apple Newsroom, January 25, 2024. https://www.apple.com/newsroom/2024/01/apple-announces-changes-to-ios-safari-and-the-app-store-in-the-european-union/

  9. Apple requires alternative marketplace operators to either provide a EUR 1,000,000 standby letter of credit from an A-rated financial institution, or have been an Apple Developer Program member for two continuous years with an app exceeding one million first annual installs in the EU. See Apple Developer, “Getting started as an alternative app marketplace in the European Union.” https://developer.apple.com/support/alternative-app-marketplace-in-the-eu/

  10. Free Software Foundation Europe, “Legal Corner: Apple’s ‘notarisation’ — blocking software freedom of developers and users,” November 5, 2025. The FSFE details how Apple’s notarisation process requires all apps to be “submitted to Apple’s servers for scanning, approval, and cryptographic re-signing before installation,” regardless of distribution channel. https://fsfe.org/news/2025/news-20251105-01.en.html 2 3

  11. App Fair Project, “Apple DMA Compliance Workshop,” March 18, 2024. First-hand account of the Commission-hosted workshop on Apple’s DMA compliance. https://appfair.org/blog/digital-markets-act-workshop/ 2

  12. Note: The “Coalition for App Fairness” (appfairness.org) and the “App Fair Project” (appfair.org) are distinct and completely unrelated entities. 2

  13. Coalition for App Fairness (unrelated to the App Fair Project12), “CAF Slams Apple’s Continued Refusal to Comply with the Digital Markets Act,” March 19, 2024. https://appfairness.org/caf-slams-apples-continued-refusal-to-comply-with-the-digital-markets-act/

  14. European Commission, “Commission sends preliminary findings to Apple and opens additional non-compliance investigation against Apple under the Digital Markets Act,” Press Release, June 24, 2024. The investigation examines Apple’s business terms, fees, the multi-step user journey, and developer eligibility requirements. https://ec.europa.eu/commission/presscorner/detail/en/ip_24_3433 2

  15. European Commission, “Commission finds Apple and Meta in breach of the Digital Markets Act,” Press Release, April 23, 2025. Apple was fined EUR 500 million for violating Article 5(4) anti-steering provisions. https://digital-markets-act.ec.europa.eu/commission-finds-apple-and-meta-breach-digital-markets-act-2025-04-23_en

  16. European Commission, “Commission closes investigation into Apple’s user choice obligations and issues preliminary findings on rules for alternative apps under the Digital Markets Act,” Press Release, April 23, 2025. https://digital-markets-act.ec.europa.eu/commission-closes-investigation-apples-user-choice-obligations-and-issues-preliminary-findings-rules-2025-04-23_en

  17. Apple filed an appeal against the EUR 500 million fine (Case T-438/25) on July 7, 2025. See CNBC, “Apple appeals 500 million euro EU fine over App Store policies,” July 7, 2025. https://www.cnbc.com/2025/07/07/apple-appeal-eu-fine-app-store.html

  18. Apple announced the Core Technology Commission (CTC) as successor to the Core Technology Fee, a 5% levy on digital goods and services sold through apps distributed from any channel. See RevenueCat, “Apple’s June 2025 EU update: one entitlement, three fees, and CTF’s 2026 sunset,” June 2025. https://www.revenuecat.com/blog/growth/apple-eu-dma-update-june-2025/

  19. CNBC, “Apple reveals complex system of App Store fees to avoid EU fine of 500 million euro,” June 26, 2025. Reports that some developers now face three separate fees for a single download. https://www.cnbc.com/2025/06/26/apple-eu-500-million-euro-app-store.html

  20. Apple Developer, “Update on apps distributed in the European Union.” Details the unified CTC-based business model effective January 1, 2026. https://developer.apple.com/support/dma-and-apps-in-the-eu/

  21. Coalition for App Fairness (unrelated to the App Fair Project12) statement following Apple’s January 2026 DMA Compliance Workshop, in which Apple’s representatives reportedly “dodged questions” and demonstrated “no intent to comply with the law.” See The Register, “Devs say Apple still flouting EU’s DMA six months on,” December 16, 2025. https://www.theregister.com/2025/12/16/apple_dma_complaint/

  22. F-Droid, “Google Developer Verification Policy and the DMA,” September 22, 2025. Initial analysis of Google’s developer verification policy and its implications for the DMA. https://f-droid.org/2025/09/22/google-developer-verification-policy-and-the-dma.html

  23. Google, “Android developer verification: Rolling out to all developers on Play Console and Android Developer Console,” Android Developers Blog, March 2026. https://android-developers.googleblog.com/2026/03/android-developer-verification-rolling-out-to-all-developers.html 2 3 4 5 6

  24. F-Droid, “An Open Letter Opposing Android Developer Verification,” February 24, 2026. Signed by 37 organizations including the EFF, FSFE, Software Freedom Conservancy, Vivaldi, Fastmail, and Article 19. https://f-droid.org/2026/02/24/open-letter-opposing-developer-verification.html 2 3

  25. Google’s “advanced flow” for installing unregistered apps requires a multi-step process including a 24-hour waiting period and a device reboot. See The Hacker News, “Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams,” March 2026. https://thehackernews.com/2026/03/google-adds-24-hour-wait-for-unverified.html

  26. Electronic Frontier Foundation, as quoted in WinBuzzer, “EFF, F-Droid open letter: Google mandatory Android developer registration,” February 25, 2026. https://winbuzzer.com/2026/02/25/eff-f-droid-open-letter-google-mandatory-android-developer-registration-xcxwbn/

  27. Apple reported annual revenue of approximately USD 391 billion (approximately EUR 360 billion) in fiscal year 2025. A EUR 500 million fine represents roughly 0.14% of annual revenue, or approximately six hours of revenue. See Apple Inc., “Apple Reports Fourth Quarter Results,” October 2025. https://investor.apple.com/sec-filings/default.aspx 2

  28. Apple has appealed both of the Commission’s March 2025 specification decisions on interoperability under Article 6(7) (Cases T-354/25 and T-359/25). See also FSFE, “Apple keeps challenging its interoperability obligations under the DMA,” April 20, 2026. https://fsfe.org/news/2026/news-20260420-01.html

  29. The term “sideloading” is itself a rhetorical device designed to make direct software installation sound illegitimate. On desktop platforms (Windows, macOS, Linux), installing software from any source is simply called “installing software.” No one speaks of “sideloading” a program onto their laptop. The term exists solely to normalize the idea that mobile devices should be closed platforms where the manufacturer controls all software distribution.

  30. Christel Schaldemose (S&D), Written Question E-001419/2026 to the European Commission, submitted April 8, 2026. Asks whether mandatory developer registration is compatible with the DMA and how the Commission will prevent security requirements from circumventing DMA obligations. https://www.europarl.europa.eu/doceo/document/E-10-2026-001419_EN.html

  31. Under Article 18 of the DMA, the Commission may impose behavioral or structural remedies in cases of systematic non-compliance, including requiring the divestiture of a business or parts of it. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925

What We Talk About When We Talk About Sideloading

- 6 min read - 1197 words

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/10/28/sideloading.html. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

We recently published a blog post with our reaction to the new Google Developer Program and how it impacts your freedom to use the devices that you own in the ways that you want. The post garnered quite a lot of feedback and interest from the community and press, as well as various civil society groups and regulatory agencies.

In this post, I hope to clarify and expand on some of the points and rebut some of the counter-messaging that we have witnessed.

Google’s message that “Sideloading is Not Going Away” is clear, concise, and false

Section titled “Google’s message that “Sideloading is Not Going Away” is clear, concise, and false”

Shortly after our post was published, Google aired an episode of their Android Developers Roundtable series, where they state unequivocally that “sideloading isn’t going anywhere”. They follow-up with a blog post:

Does this mean sideloading is going away on Android? Absolutely not. Sideloading is fundamental to Android and it is not going away.

This statement is untrue. The developer verification decree effectively ends the ability for individuals to choose what software they run on the devices they own.

It bears reminding that “sideload” is a made-up term. Putting software on your computer is simply called “installing”, regardless of whether that computer is in your pocket or on your desk. This could perhaps be further precised as “direct installing”, in case you need to make a distinction between obtaining software the old-fashioned way versus going through a rent-seeking intermediary marketplace like the Google Play Store or the Apple App Store.

Regardless, the term “sideload” was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that “sideloading” is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia’s summary definition is:

the transfer of apps from web sources that are not vendor-approved

By this definition, Google’s statement that “sideloading is not going away” is simply false. The vendor — Google, in the case of Android certified devices — will, in point of fact, be approving the source. The supplicant app developer must register with Google, pay a fee, provide government identification, agree to non-negotiable (and ever-changing) terms and conditions, enumerate all their current and future application identifiers, upload evidence of their private signing key, and then hope and wait for Google’s approval.

What this means for your rights

Section titled “What this means for your rights”

You, the consumer, purchased your Android device believing in Google’s promise that it was an open computing platform and that you could run whatever software you choose on it. Instead, starting next year, they will be non-consensually pushing an update to your operating system that irrevocably blocks this right and leaves you at the mercy of their judgement over what software you are permitted to trust.

You, the creator, can no longer develop an app and share it directly with your friends, family, and community without first seeking Google’s approval. The promise of Android — and a marketing advantage it has used to distinguish itself against the iPhone — has always been that it is “open”. But Google clearly feels that they have enough of a lock on the Android ecosystem, along with sufficient regulatory capture, that they can now jettison this principle with prejudice and impunity.

You, the state, are ceding the rights of your citizens and your own digital sovereignty to a company with a track record of complying with the extrajudicial demands of authoritarian regimes to remove perfectly legal apps that they happen to dislike. The software that is critical to the running of your businesses and governments will be at the mercy of the opaque whims of a distant and unaccountable corporation. Monocultures are perilous not just in agriculture, but in software distribution as well.

As a reminder, this applies not just to devices that exclusively use the Google Play Store: this is for every Android Certified device everywhere in the world, which encompasses over 95% of all Android devices outside of China. Regardless of whether the device owner prefers to use a competing app store like the Samsung Galaxy Store or the Epic Games Store, or a free and open-source app repository like F-Droid, they will be captive to the overarching policies unilaterally dictated by a competing corporate entity.

The place of greater safety

Section titled “The place of greater safety”

In promoting their developer registration program, Google purports:

Our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.

We haven’t seen this recent analysis — or any other supporting evidence — but the “50 times” multiple does certainly sound like great cause for distress (even if it is a surprisingly round number). But given the recent news of “224 malicious apps removed from the Google Play Store after ad fraud campaign discovered”, we are left to wonder whether their energies might better be spent assessing and improving their own safeguards rather than casting vague disparagements against the software development communities that thrive outside their walled garden.

In addition, other recent news of over 19 million downloads of malware from the Play Store leads us to question whether the sole judgement of a single corporate entity can be trusted to identify and assess malware, especially when that judgement is clouded by commercial incentives that may not align with the well-being of their users.

What can be done?

Section titled “What can be done?”

Google has been facing public outcry against their heavy-handed policies for a long time, but this trend has accelerated recently. Last year they crippled ad-blockers in Chrome and Chromium-based browsers by forcing through their unpopular “manifest v3” requirement for plugins, and earlier this year they closed off the development of the Android Open Source Project (AOSP), which is how they were able to clandestinely implement the verification infrastructure that enforces their developer registration decree.

Developer verification is an existential threat to free software distribution platforms like F-Droid as well as emergent commercial competitors to the Play Store. We are witnessing a groundswell of opposition to this attempt from both our user and developer communities, as well as the tech press and civil society groups, but public policymakers still need to be educated about the threat.

To learn more about what you can do as a consumer, visit keepandroidopen.org for information on how to contact your representative agencies and advocate for keeping the Android ecosystem open for consumers and competition.

If you are an app developer, we recommend against signing yourself up for Google’s developer registration program at this time. We unequivocally reject their attempt to force this program upon the world.

Over half of all humankind uses an Android smartphone. Google does not own your phone. You own your phone. You have the right to decide who to trust, and where you can get your software from.

Panel opening statement for the FSF40 Celebration

- 4 min read - 582 words

I was honored to be invited as a panelist at the FSF 40-year celebration event in Boston this weekend. Along with Paige Collings, senior speech and privacy activist from the EFF, Devin Ulibarri, the executive director of Sugar Labs, and Greg Farough, the FSF’s campaigns manager, we spent an hour discussing issues around software freedom and privacy, and answered a variety of interesting questions from the audience.

FSF40 panel

Once they post video and transcription, I will reproduce it here, but until then I’ll convey my notes in response to the opening question:

How has the freedom of users of mobile phones changed since the beginning of the F-Droid, in 2010?

In 2010, there were about 25 million active Android devices around the world. In 2025, it has grown to over 3 billion. Given that Android is built on free software — insofar as it runs atop the GPL-licensed Linux kernel — this can be viewed as a phenomenal expansion of free software adoption. The fact that nearly half of humanity is walking around today with a free-software-powered smartphone in their pocket is a testament to the power of the ideas that started right here, 40 years ago, with the Free Software Foundation.

Also since 2010, the F-Droid Project has grown from a small personal hobby project with a handful of apps, into a repository of thousands of free and open-source applications. F-Droid and the App Fair are the app stores you can trust, because all the apps are reviewed to keep out closed and proprietary software dependencies and flag any marginal “anti-features”, so the user is always in control of the software they are running on their device. It is truly the free software Garden of Eden.

And with free software applications running on top of a free kernel, what’s not to love about the current state of the world? We live in a magical time, right?

So also since 2010, the mobile phone ecosystem has contracted from a slew of competing systems — Blackberry, Symbian, Palm OS, Firefox OS, Ubuntu Touch, etc. — down to just two: Android and iPhone, with Android currently holding around 70% global market share. And with the entrenchment of this global smartphone duopoly has arisen increasingly extractive behavior from the corporations that control their ecosystems.

This year, 2025, has been especially dark. In March, the “Android Open Source Project” closed off its development from the public, switching to delayed and periodic snapshot source releases. This has been very difficult for projects like GrapheneOS which are based on AOSP.

And last month, the other shoe dropped: Google announced that starting next year, they would be blocking all app installations on Android certified devices from any developer who has not registered with the Google Developer Program, which requires the scanning of government identity documents, the payment of a fee, and the agreement to Google’s non-negotiable and ever-changing terms and conditions. Developers of Android apps around the world — regardless of whether they distribute through F-Droid, some other commercial app store, or simply by uploading an apk to their web site — will be cut off from their users forever unless they comply. If this goes into effect, it is an extinction event for F-Droid.

And so to answer the original question, “how has the freedom of users of mobile phones changed since in 2010”, I’ll summarize by saying: it went up, and then it went down. And that’s where we are today.

FSF40 panelists

Free App Stores and Google's Developer Registration Decree

- 6 min read - 1147 words

This is a cross-posting of an article I wrote for the F-Droid blog at: https://f-droid.org/en/2025/09/29/google-developer-registration-decree.html. As well as managing the App Fair Project, I also serve on the F-Droid board of directors.

For the past 15 years, F-Droid has provided a safe and secure haven for Android users around the world to find and install free and open source apps. When contrasted with the commercial app stores — of which the Google Play store is the most prominent — the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns.

F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors. The way F-Droid works is simple: when a developer creates an app and hosts the source code publicly somewhere, the F-Droid team reviews it, inspecting it to ensure that it is completely open source and contains no undocumented anti-features such as advertisements or trackers. Once it passes inspection, the F-Droid build service compiles and packages the app to make it ready for distribution. The package is then signed either with F-Droid’s cryptographic key, or, if the build is reproducible, enables distribution using the original developer’s private key. In this way, users can trust that any app distributed through F-Droid is the one that was built from the specified source code and has not been tampered with.

Do you want a weather app that doesn’t transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn’t siphon your intimate details into an advertisement network? F-Droid has your back. Just as sunlight is the best disinfectant against corruption, open source is the best defense against software acting against the interests of the user.

Google’s move to break free app distribution

Section titled “Google’s move to break free app distribution”

The future of this elegant and proven system was put in jeopardy last month, when Google unilaterally decreed that Android developers everywhere in the world are going to be required to register centrally with Google. In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents, including government ID, by the authors of the software, as well as enumerating all the unique “application identifiers” for every app that is to be distributed by the registered developer.

The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.

If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users will be left adrift, with no means to install — or even update their existing installed — applications. (How many F-Droid users are there, exactly? We don’t know, because we don’t track users or have any registration: “No user accounts, by design”)

The Security Canard

Section titled “The Security Canard”

While directly installing — or “sideloading” — software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution. Google Play itself has repeatedly hosted malware, proving that corporate gatekeeping doesn’t guarantee user protection. By contrast, F-Droid offers a trustworthy and transparent alternative approach to security: every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose. Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.

Furthermore, Google’s framing that they need to mandate developer registration in order to defend against malware is disingenuous because they already have a remediation mechanism for malware they identify on a device: the Play Protect service that is enabled on all Android Certified devices already scans and disables apps that have been identified as malware, regardless of their provenience. Any perceived risks associated with direct app installation can be mitigated through user education, open-source transparency, and existing security measures without imposing exclusionary registration requirements.

We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem.

The Right to Run

Section titled “The Right to Run”

If you own a computer, you should have the right to run whatever programs you want on it. This is just as true with the apps on your Android/iPhone mobile device as it is with the applications on your Linux/Mac/Windows desktop or server. Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works. It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.

By tying application identifiers to personal ID checks and fees, Google is building a choke point that restricts competition and limits user freedom. It must find a solution which preserves user rights, freedom of choice, and a healthy, competitive ecosystem.

What do we propose?

Section titled “What do we propose?”

Regulatory and competition authorities should look carefully at Google’s proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control. We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.

If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament, Congressperson or other representative, sign petitions in defense of sideloading and software freedom, and contact the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters. By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping.