Google is pushing forward with one of the most controversial changes to Android in years — and the open-source community is pushing back hard. Starting in September 2026, any app installed on a certified Android device must come from a developer who has registered with Google and verified their identity. That means sideloaded apps, apps from alternative stores like F-Droid and the Amazon Appstore, and even apps you build yourself for personal use will require Google’s approval to install — unless you jump through some significant hoops.
What’s Actually Changing
Until now, Android’s defining feature over iOS has been its openness. Anyone could write an app and install it directly on their own device — or distribute it through any channel they chose — without asking permission from Google. That changes this year.
Google’s new Android developer verification requirement will block installation of any app from an unverified developer on certified Android devices — that’s any phone or tablet that ships with Google Play, Google Mobile Services, and the Play Store. That covers more than 95% of Android devices globally, outside of China.
The new Android Developer Console, which opened to all developers in March 2026 (after an early access period starting in October 2025), requires developers to submit:
- Legal name, address, email, and phone number
- Government-issued photo ID (for individuals)
- D-U-N-S number and business website (for organizations)
- A one-time $25 registration fee
- App signing keys and package name declarations for every app they distribute
Google Play developers — who already verified their identities in 2023 — are largely unaffected. The new rules primarily hit the alternative distribution ecosystem: F-Droid, sideloaders, hobbyists, and any developer who distributes apps outside Google’s store.
The Rollout Timeline
Enforcement doesn’t kick in immediately. Google is rolling this out in phases:
- March 2026: Android Developer Console opens to all developers for registration
- September 2026: Enforcement begins in Brazil, Indonesia, Singapore, and Thailand
- 2027 and beyond: Global rollout continues
Google framed the phased approach as a way to pilot the system in regions most affected by fraudulent app scams, before expanding worldwide.
The “Advanced Flow” — A Way Out?
On March 19, Google published details of its so-called “advanced flow” — a workaround for power users who want to install apps from unverified developers after the lockdown takes effect. The process requires enabling Developer Mode (by tapping the build number seven times), navigating to Developer Options, toggling “Allow Unverified Packages,” and then dismissing multiple warning screens. Users can allow installs either temporarily (seven days) or permanently.
Critics from the Keep Android Open coalition are unimpressed. The entire flow is delivered through Google Play Services rather than the Android OS itself, meaning Google can modify, restrict, or remove it at any time without an OS update — and without user consent. The coalition’s position remains that verified installation is not meaningfully “optional” when the alternative is buried behind developer flags and dismissable scares.
The Open Letter — and Who Signed It
In February 2026, a coalition of 37 technology companies, nonprofits, and civil society organizations published an open letter at keepandroidopen.org addressed directly to Alphabet CEO Sundar Pichai, founders Larry Page and Sergey Brin, and Android’s app ecosystem chief Vijaya Kaza. The signatories include some big names in digital rights and open-source software:
- Electronic Frontier Foundation (EFF)
- Free Software Foundation (FSF)
- Software Freedom Conservancy
- F-Droid
- Proton AG (makers of ProtonMail and Proton VPN)
- Fastmail
- Vivaldi (the browser)
- Chaos Computer Club
- Article 19 (a free expression organization)
Their core argument: Google is extending its gatekeeping authority beyond its own marketplace into distribution channels where it has no legitimate role. “While we do recognize the importance of platform security and user safety, the Android platform already includes multiple security mechanisms that do not require central registration,” the letter states. Google Play Protect already scans all installed apps for malware, regardless of source. Developer identity verification doesn’t prevent malicious apps — it just makes their authors easier to identify after the fact.
What It Means for F-Droid and Open-Source Apps
F-Droid, one of the most popular alternative Android app repositories, is in a particularly difficult position. The platform’s entire model is built around anonymity and community review — it verifies apps through reproducible builds and code auditing, not developer identity. Requiring F-Droid’s thousands of developers to hand over government-issued ID to Google is, as the platform puts it, “structurally incompatible” with how open-source distribution works. F-Droid board member Marc Prud’hommeaux has been leading the resistance effort, contacting antitrust regulators in the US, Brazil, and EU.
Notably, custom Android builds like GrapheneOS, LineageOS, and /e/OS are unaffected — they don’t use Google certification and never will. But those represent a vanishingly small fraction of Android users.
Google’s Security Argument
Google’s case for the policy rests on a striking statistic: apps sideloaded from outside the Play Store are 50 times more likely to contain malware than Play Store apps. After requiring Play Store developer verification in 2023, the company says malware and fraud dropped significantly, as anonymous bad actors could no longer publish harmful apps under new anonymous accounts after being removed.
The company compares the new verification to an ID check at the airport — confirming who the developer is, not reviewing the content of their app. There’s no app review involved, only identity accountability.
Opponents have countered that Google’s own Play Store has distributed malicious apps at scale — the store itself has served 77 harmful apps that accumulated over 19 million downloads — undermining the “50x safer” claim’s implied contrast.
What Happens If You’re a Hobbyist?
Google has carved out a “limited distribution” tier for students, hobbyists, and personal-use developers. Under this track, developers can distribute apps to up to 20 devices without providing a government ID and without paying the $25 fee. An early preview of this experience is expected in June 2026. It’s a reasonable accommodation for truly personal-use scenarios, but it doesn’t address the concerns of the open-source community, which needs to distribute to many more than 20 users.
The Bigger Picture
This policy arrives at a particularly charged moment. Google is still navigating the aftermath of its antitrust settlement with Epic Games, which created new pressure to open the Play Store ecosystem. The verification requirement can be read as Google preemptively tightening control of the distribution layer before that opening takes effect — ensuring that even if third-party stores gain access, developers distributing through those stores still have a dependency on Google.
Whether Google softens the policy before September enforcement begins remains to be seen. The regulatory attention being drawn by the Keep Android Open coalition — and the high-profile nature of the signatories — suggests this fight isn’t over. For now, the clock is ticking: September 2026 in Brazil, Indonesia, Singapore, and Thailand. The rest of the world follows in 2027.
Affected by this change? Developers can register at the Android Developer Console. To follow the resistance effort, visit keepandroidopen.org.
