F-Droid’s “Keep Android Open” campaign is a coordinated effort to stop Google from requiring all Android app developers to register with the company (paying fees, submitting government ID, and disclosing signing keys) before their apps can be installed on any certified Android device worldwide. If Google’s policy takes full effect starting September 2026, it will effectively end independent app distribution on Android, including F-Droid itself.
What Is F-Droid?
F-Droid is a free, open-source application repository for Android, founded in 2010 and celebrating its 15th anniversary in 2025. Unlike the Google Play Store or Samsung Galaxy Store, F-Droid does not charge developers, display advertisements, or track users. It operates on a straightforward principle: every app in the repository must be completely open source, audited by the F-Droid team, and compiled from its publicly available source code.
The platform’s security model is fundamentally different from commercial app stores. When a developer submits an app, F-Droid reviews the source code to verify it contains no undocumented “anti-features”: trackers, advertisements, or proprietary libraries. The build service then compiles the app directly from source, and where possible, uses reproducible builds to allow independent verification that the published binary matches the source code exactly. F-Droid does not require user accounts or registration, by design. It cannot track how many people use it.
As of early 2026, F-Droid hosts thousands of free and open-source apps, ranging from privacy-focused browsers and encrypted messengers to scientific tools and utilities that have no commercial equivalent on mainstream stores.
What Is Google’s Developer Verification Program?
In August 2025, Google announced a new Android Developer Verification program through a blog post authored by Suzanne Frey, VP of Product, Trust & Growth for Android. The program requires all developers distributing apps on certified Android devices (meaning virtually every Android phone sold outside China, which represents the vast majority of the world’s Android installed base) to register with Google before their apps can be installed.
The registration process, as described in Google’s official documentation (as of February 2026), involves:
- A one-time $25 fee linked to a Google payment profile
- Government-issued identification documents for identity verification
- Business registration documents for organizational accounts (including a verified website)
- Enumeration of all app package names to be distributed
- Upload of a cryptographic proof linking the app’s signing key to the registered developer
Google’s timeline sets the initial enforcement in September 2026 across four countries (Brazil, Indonesia, Singapore, and Thailand), with global rollout planned for 2027 and beyond. The early access program for developers opened in November 2025, with full developer access from March 2026. [Updated June 2026] In a June 18, 2026 status post, Google pinned the first hard deadline to September 30, 2026 and confirmed the intermediate milestones: the free Limited Distribution tier and a new “ID Status” API enter early access in July 2026, with the developer console’s distribution API and the consumer-facing install flow arriving in August. Google also said that more than 99% of installs from Google Play already come from registered developers, an argument that the verification net mostly catches the long tail outside Play, which is precisely where F-Droid lives. The same post did not repeat the malware statistic the program was launched on.
Google frames the program as a security measure, citing an internal analysis that found “over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.” The company argues that requiring developer accountability will deter repeat bad actors who use anonymity to distribute malware and financial scams.
Why Does This Matter for Open-Source Software?
F-Droid’s position is unambiguous: the developer verification decree will end the F-Droid project as it currently operates. The reasoning is structural, not theoretical.
F-Droid distributes apps that have been compiled from open-source code submitted by independent developers around the world. Many of these developers are volunteers, researchers, or small teams operating without legal entity, payment processing infrastructure, or willingness to submit personal identification to a corporation. Under the new rules, every app distributed through F-Droid must be registered under a verified developer account: either the original developer’s account, or another account that legally claims ownership of the app’s package identifier.
F-Droid cannot force its contributors to register with Google. Nor can it claim the package identifiers for apps it distributes without effectively asserting exclusive distribution rights, which would contradict the open-source ethos entirely. The result is a catch-22: comply with Google’s system, or cease to distribute apps on certified Android devices.
The Electronic Frontier Foundation has signed on to F-Droid’s open letter, articulating the broader concern: “When you set up a gate, you invite authorities to use it to block things they don’t like. And when you build a database, you invite governments (and private parties) to try to get access to that database.”
The EFF identifies specific communities most at risk: VPN developers distributing privacy tools in countries where those tools invite legal risk; reporters and activists building apps that document government abuses; researchers who use pseudonyms and cannot safely attach their government ID to a software project. The pattern is familiar from other policy fights where non-commercial open-source distribution gets swept up in rules written for commercial platforms, the same dynamic that determines whether hobbyist projects are covered by laws like Colorado’s age-attestation statute.
How the “Keep Android Open” Campaign Works
The campaign operates at keepandroidopen.org, launched by F-Droid and allied open-source advocates. It functions on several simultaneous tracks:
Developer resistance: The campaign urges Android developers not to sign up for Google’s early access verification program. The site argues that developer acquiescence is the only way Google’s plan can succeed: if a critical mass of developers refuse to register, the policy becomes impossible to enforce without blocking vast amounts of legitimate software.
Regulatory pressure: The campaign provides direct guidance to users and developers for contacting competition authorities in over 20 jurisdictions, including the European Commission’s Digital Markets Act team, the UK Competition and Markets Authority, the US Federal Trade Commission, and regulatory bodies in Brazil, Indonesia, Singapore, and Thailand, the four initial enforcement countries.
Consumer action: Users are encouraged to install F-Droid on their Android devices now, increasing the user base of alternative distribution to make it harder to marginalize.
Technical countermeasures: The campaign links to the FreeDroidWarn library, which developers can include in their apps to inform users about the verification issue.
As of May 2026, 71 organizations from 23 countries have signed the open letter, including the EFF, FSF, Tor Project, Proton, KDE, LineageOS, CryptPad, Nextcloud, Vivaldi, and the Software Freedom Conservancy, with over 100,000 petition signatories. The campaign’s Hacker News thread accumulated over 1,300 upvotes, reflecting broad technical community concern about the policy’s implications.
Google’s Security Argument and Its Limits
Google’s core justification (50x more malware from sideloaded sources) is cited without a linked study, making independent verification impossible. F-Droid’s published response notes that Google Play itself has repeatedly hosted malware: in 2025 alone, 224 malicious apps were removed from the Play Store after an ad fraud campaign was discovered, with over 19 million total downloads of malware from the Play Store recorded in the same period.
F-Droid also points to an existing technical solution: Google Play Protect, a service already active on all certified Android devices, which scans and disables malware regardless of where apps were installed from. If Play Protect already addresses the malware problem, the argument that mandatory developer registration is the only remaining defense becomes difficult to sustain.
Under pressure from the campaign and its coalition, Google made two concessions in early 2026. First, it introduced a “limited distribution” account tier (free, no ID required) that allows developers to sideload apps to up to 20 specific devices, each authorized through a QR-code or link handshake. This addresses students and hobbyists but does nothing for F-Droid’s catalog of apps intended for general distribution. Second, Google announced an “advanced flow” for power users willing to accept higher security risk: sideloading an unverified app requires enabling developer mode, confirming you aren’t being coached to install malware, restarting your device, and completing biometric authentication after a mandatory 24-hour waiting period. [Updated June 2026] The 24-hour delay is one-time per device rather than per install: once a user clears it, they grant the unverified-install permission for either seven days or indefinitely. As of June 2026 the advanced flow had not yet shipped; only the background system service was rolling out, with the consumer-facing flow still slated for August 2026. Campaign organizers at keepandroidopen.org dispute whether this is a real concession, calling it a multi-step friction barrier that most ordinary users will never navigate. [Updated June 2026] In April 2026 Google added a further accommodation, a request-based path for developers whose signing keys do not meet the automatic install-share threshold, after complaints that the original scheme could let an impostor claim another project’s package name. It did not change the core requirement that a verified account stand behind every app.
Critics, including the EFF and multiple commentators, argue the real motivation is consolidation of market power, particularly notable given that Google simultaneously faces court-ordered changes to the Play Store following its loss in the Epic Games antitrust case. [Updated June 2026] The Ninth Circuit affirmed the jury verdict and Judge James Donato’s injunction on July 31, 2025; Google and Epic then reached a proposed settlement in November 2025 under which Epic and other rival stores could register as approved app stores on Android worldwide, with tiered service fees of roughly 9 to 20 percent. Donato declined to approve that settlement in November 2025, skeptical it cured the conduct the jury found illegal, and the parties filed amended terms in March 2026 (Fortnite returned to the Play Store that month). [Updated June 2026] As of June 2026 the settlement is still not approved: at an April 2026 hearing Donato ordered a summer-2026 evidentiary hearing he called the “final act,” and the US Federal Trade Commission has filed a formal objection. The 2024 injunction, which bars Google from blocking third-party stores and sideloading, is the legally operative remedy in the meantime. Developer verification, critics argue, provides a new mechanism to maintain central control over the Android software ecosystem even as the court attempts to open it.
Android App Distribution: A Comparison
| Platform | Cost to Developer | ID Required | Source Code Required | User Tracking | Sideloading |
|---|---|---|---|---|---|
| Google Play | $25 one-time | Yes | No | Yes | N/A (official store) |
| F-Droid | Free | No | Yes (open source) | No | Yes |
| Samsung Galaxy Store | Varies | Yes | No | Yes | N/A |
| Direct APK sideloading (pre-2026) | Free | No | No | No | Yes |
| Direct APK sideloading (post-Sept. 2026, verified) | $25 + ID | Yes | No | Depends | Restricted |
| Direct APK sideloading (post-Sept. 2026, advanced flow) | Free | No | No | No | Yes, with 24h wait + developer mode |
The table illustrates that unverified sideloading survives in some form, but only behind friction that Google controls and can adjust. The distinction between verified and unverified distribution is now a policy dial, not a technical limit.
The Digital Sovereignty Dimension
The keepandroidopen.org campaign frames the issue not just as an open-source software problem but as a matter of national digital sovereignty. Over 95% of Android devices sold outside China are certified Android devices. Over half of all humans on Earth use an Android smartphone. A policy dictated by a single US corporation, requiring every app developer on Earth to register with that corporation before their software can run on the majority of the world’s smartphones, is, the campaign argues, an unprecedented privatization of what has historically been a public commons.
The campaign specifically notes Google’s track record of complying with government requests to remove legal apps (citing authoritarian regimes as examples) and asks whether states should cede their citizens’ software access to a company with that history.
The EU’s Digital Markets Act is frequently cited as the most promising legal avenue for challenge. The DMA designates Google as a “gatekeeper” and places specific obligations around interoperability and competition. F-Droid and allies argue that mandatory developer verification may directly violate the DMA’s requirements. [Updated June 2026] So far the pressure is political rather than enforcement. As of June 2026 the European Commission has not opened a case or issued a statement on developer verification specifically; the concrete EU touchpoints are a written question to the Commission filed in April 2026 by MEP Christel Schaldemose asking whether the policy is DMA-compatible (still unanswered), and reporting that EU politicians across the spectrum are pressing the Commission to consider whether action is needed. The Commission’s live Android DMA proceeding, opened in January 2026, concerns AI-service interoperability and search-data sharing, not app distribution. The EU is also simply not in Google’s announced phases (four countries in 2026, “global” in 2027), and the widely repeated claim that the bloc is exempt because of the DMA is analyst inference, not something Google or the Commission has stated. The UK followed a different track: the Competition and Markets Authority gave Google “Strategic Market Status” in mobile in October 2025 and published binding commitments in April 2026, though those cover app review, ranking, and data use rather than verification. The contrast with hardware rules is instructive: where the EU has been willing to legislate device design directly, as with its 2027 user-replaceable-battery mandate, it has so far approached app-distribution control through the slower machinery of DMA gatekeeper obligations rather than a bright-line rule.
Meanwhile, in March 2025 Google moved day-to-day Android development into internal branches rather than developing the Android Open Source Project (AOSP) in public. [Updated June 2026] This is narrower than “closing” AOSP: the source is still published under the Apache 2.0 license, but the public release cadence dropped to twice yearly in 2026, and since Android 16 Google stopped shipping Pixel device trees and switched the AOSP reference target to its virtual “Cuttlefish” device, which raises the cost of building and maintaining custom ROMs. The keepandroidopen.org campaign notes that developing in private is how Google was able to build the verification infrastructure without public review.
What Happens If Google Proceeds?
If the September 2026 deadline arrives without regulatory intervention or Google reversing course, the practical consequences are significant:
- Apps distributed through F-Droid that lack a verified Google developer registration will fail to install on certified Android devices in Brazil, Indonesia, Singapore, and Thailand starting September 2026.
- The global rollout in 2027 would extend this to virtually all Android users outside China.
- F-Droid has stated plainly that the project, in its current form, would cease to function under these conditions.
- Alternative app stores, including emerging commercial competitors to Google Play, face the same structural problem if they distribute apps whose developers refuse to register.
As of May 2026, the September enforcement deadline remains on Google’s official developer verification page. Google’s concessions (the limited distribution tier and the advanced flow) do not resolve the structural problem for F-Droid’s catalog. The campaign at keepandroidopen.org continues to push for full rescission, not friction reduction.
Frequently Asked Questions
Q: Is Google actually banning F-Droid? A: Not directly. Google’s policy requires all app developers to register with the company and submit identification. Since F-Droid distributes apps from thousands of independent open-source developers, many of whom will not or cannot register, F-Droid’s catalog would become unusable on certified Android devices through standard installation flows.
Q: Can I still install F-Droid after September 2026? A: The F-Droid app itself may remain installable, but the apps it distributes will fail to install through normal flows on certified Android devices in the initial four countries (Brazil, Indonesia, Singapore, Thailand) starting September 2026, with global rollout planned for 2027. Google’s “advanced flow”, scheduled to launch in August 2026, provides a path to sideload unverified apps, but it requires enabling developer mode, completing biometric authentication, and waiting through a mandatory 24-hour delay.
Q: Does Google’s malware argument have merit? A: Google cites “50x more malware from sideloaded sources,” but has not published the underlying study. F-Droid notes that Google Play itself has hosted malware (224 malicious apps removed in 2025), and that Google Play Protect already scans all installed apps regardless of source.
Q: What can developers do? A: The Keep Android Open campaign urges developers not to register for Google’s verification program, arguing that mass refusal makes the policy unenforceable. Developers can also include the FreeDroidWarn library in their apps to alert users to the issue.
Q: Will this affect custom ROMs like LineageOS? A: Devices running custom ROMs that forgo Google certification (and thus lose access to Google Play Services) would not be subject to Google’s verification requirements. However, the vast majority of Android devices sold to consumers are certified devices that would fall under the new policy.