Table of Contents

Android has been marketed as an open platform for over a decade—but Google’s 2026 developer verification mandate is rewriting that bargain. Starting September 2026, every developer distributing apps outside the Play Store must register their identity with Google, pay a $25 fee, and submit government-issued ID. The result: F-Droid and the open-source Android ecosystem are fighting for survival.

What Google’s Developer Verification Policy Actually Does

On August 25, 2025, Google published a post on its Android Developers Blog titled “A new layer of security for certified Android devices,” announcing that beginning in 2026, all apps installed on certified Android devices—including those sideloaded outside the Play Store—must originate from registered developers.1

The mechanics are specific and deliberate:

  • Developers must create an Android Developer Console account (a one-time $25 fee linked to a Google payment profile)
  • Both personal and organizational accounts require government-issued identity documents and a verified phone number
  • Apps from unregistered developers cannot be installed on certified Android devices from March 2026 onwards
  • Full enforcement—where unverified apps are blocked by default—rolls out in Brazil, Indonesia, Singapore, and Thailand in September 2026, with global expansion planned for 20272

Google frames this as a security measure against financial scams and malware, particularly in emerging markets where phone fraud is rampant. The company’s stated goal is ensuring users can trust the provenance of any software on their device—not just software from the Play Store.

How F-Droid Works—And Why It’s Threatened

F-Droid is a free and open-source app repository for Android, operating since 2010 as an alternative to Google Play. Unlike commercial app stores, F-Droid builds apps directly from verified source code rather than distributing developer-supplied binaries. Every app in its main repository is free and open-source software; anti-features like advertising, user tracking, and dependencies on proprietary services are explicitly flagged in app listings.3

The repository currently hosts over 3,800 applications. Users can browse, download, and install software without creating any account, and the F-Droid server software itself is open-source—anyone can run their own repository using the same infrastructure.

This architecture is incompatible with Google’s verification model. F-Droid does not require developers to register with any central authority. Its entire value proposition rests on distributing software that any developer—including anonymous ones—can contribute to without gatekeepers.

Under the new mandate, F-Droid and similar repositories face a structural problem: even if F-Droid as an organization complied, it would need every developer whose app it hosts to individually register with Google. For the thousands of small, volunteer-driven, or pseudonymous projects that form the backbone of the FOSS ecosystem, that requirement is a barrier many won’t or can’t clear.

The Open-Source App Store Landscape

Alternative distribution channels have evolved into a mature ecosystem, each addressing different needs:

Store / ToolApp CountSource ModelGoogle Account RequiredPrivacy Focus
F-Droid~3,800+Builds from source, FOSS onlyNoHigh
Aurora Store~3 millionProxies Google PlayAnonymous tokenMedium
ObtainiumUnlimited*Direct from GitHub/GitLabNoHigh
IzzyOnDroid~1,000+F-Droid-compatible repoNoHigh
Droid-ify / Neo StoreSame as F-DroidF-Droid clientNoHigh
Aptoide~1 million+Developer-submitted APKsOptionalLow-Medium

*Obtainium pulls directly from developer release pages, so its catalog is limited only by what developers publish on public repositories like GitHub or their own sites.

Aurora Store occupies a different niche: it provides access to the Play Store’s catalog without requiring a Google account, using anonymous authentication tokens. This doesn’t circumvent Google’s verification requirement for sideloaded apps—Aurora Store distributes Play Store apps that are already verified—but it does allow users to avoid signing into Google services.4

Obtainium is the most radical alternative: it bypasses app stores entirely, installing apps directly from developer release pages on GitHub, GitLab, or custom URLs. For users who want to track upstream releases without waiting for repository maintainers, it’s the most direct path—but it requires users to actively manage each app’s source.5

The Coalition Pushing Back: Keep Android Open

On February 24, 2026, a coalition of 37 organizations published an open letter to Google CEO Sundar Pichai—along with co-founders Sergey Brin and Larry Page—demanding the company rescind the developer verification mandate.6

The letter, hosted at keepandroidopen.org and published simultaneously on F-Droid’s blog, was led by F-Droid board member Marc Prud’hommeaux. Signatories include the Electronic Frontier Foundation, the Free Software Foundation, and dozens of smaller open-source and privacy organizations.

The letter’s central argument: Android already includes multiple security mechanisms that don’t require central registration—Google Play Protect, app permissions, sandboxing, and verified boot. Requiring government ID registration goes further than security demands, functionally creating a registry of every developer on the planet who wants software to run on Android devices.

The letter argues that “future app store competitors, whether commercial or non-profit, will forever be disadvantaged by their developers being required to sign up with Google, bound to their voluminous, non-negotiable, and ever-changing terms and conditions, pay a fee, upload government-issued identification, and register each and every one of their applications with Google.”8

This isn’t merely hypothetical friction. It structurally advantages Google’s own distribution channel over every alternative—including the ones required under competition law in the EU.

Google’s Concession: “High Friction” by Design

After initial backlash following the August 2025 announcement, Google responded by announcing an “advanced flow” that would allow power users to install unverified apps even after the mandate takes effect. The concession sounds like a win for openness—until you read Google’s own description of it.

In a January 19, 2026 exchange reported by 9to5Google, the company explicitly called the new sideloading flow “high friction.”9 The intended design involves multiple confirmation screens, strong warnings about risks, and deliberate delays—all by design. The goal, Google says, is to ensure users aren’t coerced into bypassing safety checks by scammers.

F-Droid’s position on this concession is pointed: Google has refused repeated requests for concrete details about what the advanced flow will look like, when it will be available, and whether it will function in a way that doesn’t actively discourage use. As F-Droid stated in its open letter post, it is “reasonable to predict that if and when it is ever made available… it will be maximally obscure and high-friction.”10

The AOSP Slowdown: A Parallel Enclosure

Developer verification isn’t the only structural change tightening Google’s grip on Android. In January 2026, Google announced it would cut AOSP source code releases from quarterly to biannual, publishing code only in Q2 and Q4 of each year.11

The Android Open Source Project has been the legal and technical foundation enabling projects like LineageOS, GrapheneOS, and CalyxOS to exist. Quarterly releases allowed these projects to stay current with Google’s changes, track security patches, and maintain timely support for devices. Under the new biannual schedule, the gap between what Google’s internal builds contain and what the public AOSP reflects can stretch for months.

For context: Google did not release Pixel device configuration sources and driver binaries alongside Android 16—a departure from past practice that the FOSS community noted with alarm. OSNews characterized it as “Google takes next big leap in killing AOSP.”12

Custom ROM communities face a compounding problem: fewer source drops means longer waits for security patches. For users relying on extended-support devices running LineageOS or CalyxOS—often older hardware that manufacturers have abandoned—this directly degrades their security posture.

Where Regulation Fits In

The antitrust dimensions of this fight are real and actively escalating. The EU’s Digital Markets Act forced Apple to allow alternative app stores in the EU by 2025—a precedent that applies pressure to Android as well, given that Google is a designated gatekeeper under the DMA.

F-Droid’s Prud’hommeaux has made explicit contact with regulators. The campaign is also watching what happened in parallel with Apple: the DMA required Apple to open iOS to competing app stores not because Apple agreed it was a good idea, but because regulators mandated it.13

The difference is that Android has always marketed itself as more open than iOS—which makes the current tightening both more politically vulnerable and more surprising to the developer community that built its ecosystem around that promise.

What Practitioners Need to Know Now

For developers distributing apps outside the Play Store, the timeline is live. Verification opened for all developers in March 2026. Here’s the current state:

  • Developer verification program launched (March 2026)
  • Apps from unregistered developers blocked by default — September 2026 (Brazil, Indonesia, Singapore, Thailand)
  • Advanced flow for power users — timeline unconfirmed
  • Global enforcement — 2027

Open-source developers who want their apps to remain installable on certified Android devices need to register with Google before September 2026, or accept that their software will be blocked for the majority of Android users without the technical sophistication to navigate the advanced flow.

For users invested in open-source Android, the practical toolkit for 2026 remains functional: F-Droid and Obtainium can still be used today, GrapheneOS and CalyxOS remain viable on supported hardware, and the policy hasn’t taken full effect yet. But the window for easy, frictionless access is closing.

Frequently Asked Questions

Q: Will F-Droid stop working after September 2026? A: Not immediately, and not universally. F-Droid continues to function on uncertified devices (like those running GrapheneOS or CalyxOS) and in regions outside the initial rollout. On certified Android devices in the affected regions, installing apps from unregistered developers will be blocked by default—but the “advanced flow” workaround is expected to remain available for technically capable users, albeit with deliberate friction.

Q: What is the difference between Aurora Store and F-Droid? A: F-Droid exclusively hosts free and open-source apps, builds them from verified source code, and requires no account. Aurora Store provides access to Google Play’s full catalog of ~3 million apps without a Google account, using anonymous authentication tokens—but it distributes the same proprietary binaries as the Play Store.

Q: Does Google’s verification requirement apply to AOSP custom ROMs like LineageOS? A: The policy applies to certified Android devices. AOSP-based custom ROMs that don’t carry Google’s certification are not subject to the same restrictions—but they also lack access to Play Store apps and Google services, requiring users to source all apps independently.

Q: Who signed the Keep Android Open open letter? A: As of February 24, 2026, 37 organizations have signed, including the Electronic Frontier Foundation, the Free Software Foundation, and F-Droid. The letter is addressed to Google CEO Sundar Pichai and co-founders Sergey Brin and Larry Page, and the campaign has filed complaints with US, Brazilian, and EU competition regulators.14

Q: Is there a way to install F-Droid apps without being affected by the new rules? A: Yes, with caveats. Devices running uncertified AOSP forks (GrapheneOS, CalyxOS) are unaffected. On certified devices, Obtainium—which pulls directly from developer release pages—may sidestep the restriction if developers publish signed APKs independently. The outcome depends on how Google implements the “advanced flow” and whether it covers all sideloading scenarios or only direct APK installs.

Sources:

Footnotes

  1. Android Developers Blog. “A new layer of security for certified Android devices.” Google, August 25, 2025. https://android-developers.googleblog.com/2025/08/elevating-android-security.html

  2. Medianama. “Google Moves to Block APK Sideloading by 2026.” August 2025. https://www.medianama.com/2025/08/223-google-blocks-android-apk-sideloading-2026/

  3. F-Droid. “Free and Open Source Android App Repository.” https://f-droid.org/en/

  4. Privacy Guides. “Obtaining Applications.” https://www.privacyguides.org/en/android/obtaining-apps/

  5. Obtainium app description via AlternativeTo and Privacy Guides community discussions.

  6. F-Droid. “An Open Letter Opposing Android Developer Verification.” February 24, 2026. https://f-droid.org/2026/02/24/open-letter-opposing-developer-verification.html

  7. Cybernews. “New campaign to ‘Keep Android Open’: devs don’t want to show their IDs to Google.” https://cybernews.com/privacy/keep-android-open-campaign-opposes-google-restrictive-policy/

  8. Keep Android Open. “An Open Letter to Google regarding Mandatory Developer Registration for Android App Distribution.” https://keepandroidopen.org/open-letter/

  9. 9to5Google. “Google calls Android’s new sideloading flow ‘high friction’.” January 19, 2026. https://9to5google.com/2026/01/19/google-calls-androids-new-sideloading-flow-high-friction/

  10. F-Droid. Open letter post, February 24, 2026. https://f-droid.org/2026/02/24/open-letter-opposing-developer-verification.html

  11. The Register. “AOSP on a diet plan as Google halves Android code drops.” January 8, 2026. https://www.theregister.com/2026/01/08/google_aosp_changes/

  12. OSNews. “Google takes next big leap in killing AOSP, significantly scales back AOSP contributions.” https://www.osnews.com/story/144140/google-takes-next-big-leap-in-killing-aosp-significantly-scales-back-aosp-contributions/

  13. TechCrunch. “Move over, Apple: Meet the alternative app stores available in the EU and elsewhere.” February 22, 2026. https://techcrunch.com/2026/02/22/move-over-apple-meet-the-alternative-app-stores-available-in-the-eu-and-elsewhere/

  14. Winbuzzer. “Google’s Mandatory Android Dev Registration Rule Faces Revolt.” February 25, 2026. https://winbuzzer.com/2026/02/25/eff-f-droid-open-letter-google-mandatory-android-developer-registration-xcxwbn/

Topics:
android open-source privacy

Related Articles

Open Source

Keep Android Open: F-Droid's Fight Against a Locked-Down Mobile Future

F-Droid, the open-source Android app repository, is leading a global campaign against Google's mandatory developer verification program — a policy set to take effect in September 2026 that critics say will end alternative app distribution and hand Google total control over what software can run on Android devices.

 AI Infrastructure

Alibaba's zvec: A Lightning-Fast Vector Database That Fits In-Process

Zvec is Alibaba's open-source, in-process vector database built on the battle-tested Proxima engine. It enables millisecond semantic search across billions of vectors without requiring external servers or infrastructure, making it ideal for edge AI and embedded applications.

 Security

Amazon and Google Unwittingly Reveal the Severity of the U.S. Surveillance State

Amazon Ring and Google Nest have inadvertently exposed the vast surveillance capabilities available to U.S. law enforcement through IoT devices, revealing warrantless data sharing and mass monitoring infrastructure that threatens constitutional privacy protections.

Enjoyed this article?

Stay updated with our latest insights on AI and technology.

More Articles Subscribe via RSS