Rogue devs of sideloaded Android apps beg for freedom from Google’s verification regime
- Reference: 1771960152
- News link: https://www.theregister.co.uk/2026/02/24/google_android_developer_verification_plan/
- Source link:
The signatories, including Article 19, the Electronic Frontier Foundation, the Free Software Foundation, F-Droid, Fastmail, and Vivaldi, on Tuesday published an [1]open letter to Alphabet and Google CEO Sundar Pichai, founders and board members Larry Page and Sergey Brin, and Vijaya Kaza, general manager for app and ecosystem trust, to voice their opposition to the plan.
"While we do recognize the importance of platform security and user safety, the Android platform already includes multiple security mechanisms that do not require central registration," the letter says.
[2]
"Forcibly injecting an alien security model that runs counter to Android's historic open nature threatens innovation, competition, privacy, and user freedom. We urge Google to withdraw this policy and work with the open-source and security communities on less restrictive alternatives."
[3]
[4]
In August 2025, Google announced that apps installed on certified Android devices would need to be tied to a verified developer account. Developers must complete identity checks, with a $25 one-time fee for standard distribution accounts.
"Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on [5]certified Android devices ," the company said. "This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down."
[6]
The [7]verification scheme [PDF], in early preview since November 2025, opens to all developers in March 2026. Come September, when the system will be extended to Brazil, Indonesia, Singapore, and Thailand, developers who have not verified their identities and registered their apps will have their apps blocked from installation on certified Android devices.
[8]Google Antigravity falls to Earth under OpenClaw-fueled compute load
[9]Microsoft execs worry AI will eat entry level coding jobs
[10]IBM stock dives after Anthropic points out AI can rewrite COBOL fast
[11]Go library maintainer brands GitHub's Dependabot a 'noise machine'
This doesn't change much for Android developers distributing applications through Google Play – Google has required them to be verified since 2023. Nor does it affect alternative Android or AOSP builds like /e/OS, LineageOS, or GrapheneOS.
But it's a major departure for Android developers distributing their apps through alternative app markets like the Amazon Appstore, Galaxy Store, and F-Droid. It converts the polytheistic Android ecosystem into an imitation of the monotheistic Apple's iOS ecosystem.
The letter signatories object to Google requiring Android devs who seek to distribute apps through alternative channels to first seek permission from Google, to agree to Google's terms and conditions, to pay a fee, and upload government-issued identification.
"This extends Google's gatekeeping authority beyond its own marketplace into distribution channels where it has no legitimate operational role," the signatories argue. "Developers who choose not to use Google's services should not be forced to register with, and submit to the judgement of, Google."
[12]
They also argue that mandatory registration imposes barriers on developers with limited resources, researchers, and academics; raises concerns about privacy and surveillance; extends Google's opaque, unaccountable app review process to a broader set of developers; and raises antitrust and regulatory concerns.
In an email to The Register , Marc Prud'hommeaux, F-Droid board member and an organizer of [13]a prior petition to halt Google's plans , said, "We genuinely hope that Google will listen to the overwhelming community opposition against their threatened lockdown of the Android platform and take this opportunity to reverse course and start rebuilding their reputation as a faithful steward of Android."
Google did not immediately respond to a request for comment. ®
Get our [14]Tech Resources
[1] https://keepandroidopen.org/open-letter/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZ4tlBlWRpXa-EiSsOkh6QAAAEI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZ4tlBlWRpXa-EiSsOkh6QAAAEI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZ4tlBlWRpXa-EiSsOkh6QAAAEI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.android.com/certified/partners/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZ4tlBlWRpXa-EiSsOkh6QAAAEI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://developer.android.com/developer-verification/assets/pdfs/introducing-the-android-developer-console.pdf
[8] https://www.theregister.com/2026/02/23/google_antigravity_compute_burden/
[9] https://www.theregister.com/2026/02/23/microsoft_ai_entry_level_russinovich_hanselman/
[10] https://www.theregister.com/2026/02/23/ibm_share_dive_anthropic_cobol/
[11] https://www.theregister.com/2026/02/24/github_dependabot_noise_machine/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZ4tlBlWRpXa-EiSsOkh6QAAAEI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2025/10/29/keep_android_open_movement/
[14] https://whitepapers.theregister.com/
Re: Total Identity Ecosystem
...so they can sell you tat you don't need.
Re: Total Identity Ecosystem
This is a potential PITA. I'm using a popular Android app that can talk to various blood glucose monitoring devices and get data from them. That's all great and legit and the developers might not be too upset about one of them having to sign/certify builds.
However, some of the medical devices (one very popular manufacturer) only output encrypted data and so it's necessary to have an additional package running that decrypts the data before it gets to the main app.
Is anybody going to be willing to sign/certify that additional package? I'm worried that the odds are fairly low since there's a possible risk with DMCA. If nobody will sign it then a huge number of people will no longer be able to use the app and will end up having to use the manufacturer's own cr*ppy app :(
Why not?
Seems reasonable to me.
Re: Why not?
Well, for a *start* we've found somebody who doesn't code for a hobby and just wants to run their own apps without handing their ID over...
Definitely not somebody who believes that youngsters should be free to learn how to code for the devices they carry around all day long. No verifiable identity (driver's licence at 13?), no learning for you.
Re: Why not?
It’s up to me to buy a “certified Android device”, it is also up to me whether I install app’s from any specific App Store.
I suspect what Google are actually saying: Android with Google Play Services will no longer support side loading. However, to avoid saying this they will allow Google verified vendors to install their apps from places other than the Play store.
For this to work, I suggest Google will require developers to use a Google issued certificate for code signing etc…
Re: Why not?
Reasonable?
How many regular, everyday android users, do you feel are not using the Play Store outside of China where it's not allowed?
Most don't use third party stores, fewer still will be looking for apps outside what's also available on the Play Store and therefore already signed up.
The amount of people this "security" feature is protecting is infinitesimally small and, in all likelihood, using these alternative stores for good reason and because they're technically savvy enough to know the risks.
Given the premise falls short of reality, there's clearly another reason that Google are doing this, one they don't want to admit publicly, and that should be a very big red flag.
Re: Why not?
1) Expense: Why should a developer have to pay Google when Google will be providing no actual services to the developer? These are apps distributed and managed outside the Play store.
2) Vulnerability: Some two piece chicken mcnobody launches a spurious claim against the developer about one of their apps. The developer license is suspended for investigation, if not permanently. This kills every other app by the developer immediately.
2b) This affects legitimate developers who might have been breached to publish something under their license, or push a bad update.
3) Pointless: Google claims it will stop proliferation of bad apps. Outside of the play store, not only is it the business of the app store operator to manage their offerings, but often one must actively and deliberately seek said apps. If they do so unwittingly, they are otherwise so susceptible to "go here and install this" schemes that trying to secure them is futility defined, they will always find a way to stick the fork into an electrical socket.
3b) Bad actors will probably pony up $25 without hesitating because they stand to greatly profit. So the socket remains available for being forked, and can be accidentally forked by people who think being Google Verified is an automatic sign of trustworthiness.
Re: Why not?
Let's say I want to sell you a washing machine and you want to buy it off me and we've agreed a reasonable price we're both happy with. My old machine, your house. Simple, no?
Except now Google say that we need their permission because their contractors built your house. Oh and I also have to pay them.
Where is the part that's reasonable?
Rogue journalist snipes at legitimate developers
I say this because there's nothing in the article to explain why the developers are rogue. Bad el Reg!
Total Identity Ecosystem
Sadly, this train isn't stopping until everyone is identified in everything they say or do.
Whether it's age gating the web, or forcing FOSS devs to have a DUNS number to get a code signing cert, the masters won't be satisfied until they know who you are, your life history, and everything you say or do.