F-Droid, the venerable open-source Android app repository that’s been a presence in the Android community since 2010, is warning users that just-published Google Play Store rules could be used to prevent apps from being updated or installed if they aren’t compliant with Google’s policies following its intended crackdown on non-Play Store app installs (often referred to as sideloading) and rough equivalents of app stores known as “stores within stores.” Mainly: This isn’t for show — come September, we are likely to start seeing app updates blocked for not checkpointing themselves against Google Play’s newest substitute-dad version of itself.
The group maintains that the policy would consolidate control over Android app identity and distribution with Google, even for software that never comes near the Play Store.
What Google Is Changing in Android App Verification
Google intends for every Android app to be associated with a verified developer identity, attached to government-issued ID and other personal information. Developers would also be required to publicly submit their app identifiers and signing keys to Google — ensuring one reference for the provenance of an app on the platform.
Google casts the change as a security upgrade, one that enforces accountability and cuts down on malware. The company has said that the rollout will be staggered and starting in 2026, with the purported goal of maintaining sideloading or any other store as a way to distribute apps.
Why F-Droid Says It Can’t Comply With New Rules
F-Droid functions differently than most commercial stores, only curating free and open-source software, frequently built from source in reproducible ways, and promoting apps that avoid trackers and aggressive data collection. Many of the maintainers and contributors are volunteers, publishing under project names not corporate ones.
Forcing every app’s identity and signing credentials to be known by Google, F-Droid contends, would mean that developers (and they could be a single person operating under an alias or spread across jurisdictions) would have to get Google’s approval to reach users with their software. Because F-Droid could not take over devs’ identities or keys, the repository claims it would be unable to continue publishing in its current state.
The concern isn’t limited to a single repository. All stores, and even direct download channels, that could not or would not force developers through Google’s verification pipeline risk being relegated to sideloads if Google can become the exclusive gatekeeper for app identities.
A Test For Sideloading And Alternate Stores
Sideloading has always been part of what appeals to some users about Android, who like being able to install software directly or from (often unsanctioned) third-party stores. While big stores like Amazon Appstore or Samsung’s Galaxy Store can conceivably update their processes to verify apps in a new way, community-driven catalogues like F-Droid — and niche app stores that may be used for regional or limited use case-specific applications — might find it especially difficult.
Scale illustrates the asymmetry. F-Droid has just over 3,000 apps compared to the millions available on the Play Store, which runs on billions of devices. For privacy tools, research utilities, and open-source clients that count on F-Droid as a primary distribution channel, losing access to that channel might mean fewer updates and less discoverability for users who actively avoid Play.
The Security Argument And Its Boundaries
Google’s security posture has been getting stronger and stronger, from Play Protect scanning the device to our analysis pipelines with App Defense Alliance.
The company’s Android security reports have consistently documented lower rates of potentially harmful apps among Play-distributed devices — a figure often less than a tenth of a percent — as opposed to those installed from elsewhere.
Nevertheless, there have been instances when advanced malware families made their way past Play’s defenses, and by centralizing developer identity and signing data with one company, it introduces a new layer of risk, as well as an additional point of control. F-Droid argues that open-source scrutiny, reproducible builds, and review of the repository itself offer an alternative trust position, which is not to be subservient to a sole commercial gatekeeper.
Regulatory Landscape and Timeline for Enforcement
The policy lands in the midst of intense global scrutiny on mobile platforms. In Europe, the Digital Markets Act mandates that gatekeepers enable alternative app stores and sideloading without setting conditions where such channels are impracticable; or if certain specific criteria are met — meaning Apple would not become Boy Scouts to join forces with Yahoo Mail, etc. Regulators at the European Commission and the UK Competition and Markets Authority have expressed curiosity about how mobile ecosystems police identity, payments, and distribution rules.
And here in the United States, app distribution is feeling antitrust heat after a jury concluded that Google had an illegal stranglehold on Android app distribution. They should think about enforcing anyway. A report in French for the EU. F-Droid is encouraging enforcers from different regions to check if verified developer policies really preserve competition and user choice, despite explicit exceptions for “sideloading.”
The program, under Google’s current guidance, is launching in waves beginning September 2026, giving a lengthy runway for implementation and feedback. The crucial question for regulators will be whether the policy has the practical effect of preserving meaningful alternatives.
What It Means for Developers and Everyday Users
Some independent maintainers, nonprofits, and researchers who want to limit the data collected on them or who operate in sensitive areas may recoil at sending government IDs and signing declarations to Google. Projects that simply don’t or won’t onboard may be forced to shed community store distribution for web apps, self-updates, and Android distributions.
For consumers, the danger is a less-varied marketplace in which experiment and niche utility retreat from mainstream channels. Another is that Google maintains developers will still be free to use any app store, or sideload apps; F-Droid’s Thomas told me verification, as described, makes the current suggestion a permission, which Google then would have to decide to grant or deny.
The next 18 to 24 months will tell whether the policy can be waived in order to reach our security goals, without smothering the decentralized distribution that is how Android has grown for years. The result will determine how “open” Android actually is in practice, rather than on paper.
