'Keep Android Open' movement fights back against Google sideloading restrictions

Starting next year, Google plans to require all apps installed on certified Android devices, including sideloading, to come from developers it has verified. Many Android developers see the move as a power grab and have started a movement to "Keep Android Open."

The petition, organized by software developer Marc Prud'hommeaux, seeks to rally support to challenge Google's plan and to rouse regulators to the antitrust implications of allowing Google to oversee the verification of all Android developers working with Android Certified devices, but does not affect alternative Android or ASOP builds like /e/OS, LineageOS, or GrapheneOS.

The petition formalizes objections raised in online forums in the wake of Google's announcement and recaps sentiment articulated previously on the blog of F-Droid, an open-source alternative app store. A separate petition has been created on Change.org.

Among Android developers, opposition to Google's plan has been nearly universal, Prud'hommeaux told The Register in a phone interview. "I am sort of overwhelmed with the amount of support," he said. "I would ballpark estimate that over 90-95 percent of people are somewhere between concerned and outraged, but pretty much everyone is against it."

Google in August said, "Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices. This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down."

Since 2023, Google has required developers who submit apps to the Google Play store to be verified. The company claims that identifying developers has prevented miscreants from committing fraud, distributing malware, and stealing data.

Starting in March 2026, Google plans to extend its verification system to all Android developers. And in September 2026, the company intends to start enforcing its registration requirement in Brazil, Indonesia, Singapore, and Thailand, with additional regions to follow.

Prud'hommeaux said the specific scenario Google aims to address is repeat offenders – developers who submit malicious apps and then create new versions with different digital identifiers to replace bad apps that have been removed.

The petition asks organizations to add their signature to an open letter opposing Google's verification process [PDF], which requires a one-time $25 fee and Google payment profile, agreeing to Google's Terms and Conditions, supplying government identification, proving ownership of app signing keys, and declaring current and future app identifiers.

"While we recognize the importance of platform security and user safety, this requirement represents an unprecedented expansion of Google's control over the Android ecosystem that threatens innovation, competition, privacy, and user freedom," the letter says. "We urge Google to rescind this policy immediately."

Google did not immediately respond to a request for comment.

Prud'hommeaux, a board member for F-Droid who also runs the alternative iOS store App Fair, is one of two contributors to the Keep Android Open site, a project he said he undertook as a personal project.

• AI layoffs to backfire: Half quietly rehired at lower pay
• This security hole can crash billions of Chromium browsers, and Google hasn't patched it yet
• OpenAI non-profit will run for-profit that has yet to make a profit
• Android malware types like your gran to steal banking creds

On Tuesday, via the F-Droid blog, he renewed his challenge to Google's assertions about its verification program, specifically the company's claim that "Sideloading is fundamental to Android and it is not going away."

"This statement is untrue," he wrote in his post. "The developer verification decree effectively ends the ability for individuals to choose what software they run on the devices they own.

"It bears reminding that 'sideload' is a made-up term. Putting software on your computer is simply called 'installing,' regardless of whether that computer is in your pocket or on your desk."

Both Google and Apple [PDF] use the term "sideloading" as a pejorative, possibly because they have a commercial interest in running app store toll booths.

Prud'hommeaux proposes the term "direct installing," in case you need to make a distinction between obtaining software the old-fashioned way versus going through a rent-seeking intermediary marketplace like the Google Play Store or the Apple App Store.

Pointing to The Register's recent report about 77 malicious apps on Google Play that amassed more than 19 million downloads, Prud'hommeaux questions both Google's ability to catch malicious apps and its lack of evidence to support the claim that it "found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play."

Developer verification presumably has some impact on opportunities to distribute malicious software. But Google's bid to bless compliant Android developers with the power of app distribution comes with no guarantee – the company offers no warranty for its security oversight and doesn't compensate Android users when it distributes malware via Google Play. Google's plan also comes with a cost – it restricts Android device owners' freedom to choose the software they want to install on their own hardware.

What's more, verified developers may still end up unwittingly submitting apps to Google Play or other app stores that have been compromised through third-party SDKs or packages. For all the talk about how AI can improve the detection and remediation of security vulnerabilities, it's noteworthy that Google plans to enact a global developer-identity allow list.

"I'd say it's conceivably possible that there is some glimmer of merit," Prud'hommeaux told The Register when asked about Google's security claims. "A more convincing explanation, of course, is that they feel like they have enough of a lock on the ecosystem that they can assert complete control over every application that's distributed in the world to Android-certified devices, which is more than 95 percent of devices outside of China."

Prud'hommeaux in his F-Droid post goes on to mention how Google's Chrome Extension changes have limited the effectiveness of ad blockers and how the company has gated the development of the Android Open Source Project (AOSP) so that it no longer occurs in public.

"Developer verification is an existential threat to free software distribution platforms like F-Droid as well as emergent commercial competitors to the Play Store," he wrote. "We are witnessing a groundswell of opposition to this attempt from both our user and developer communities, as well as the tech press and civil society groups, but public policymakers still need to be educated about the threat."

Prud'hommeaux told The Register that while Google's announcement was fairly recent, regulators are starting to scrutinize the company's verification scheme. He said he's been in touch with Brazilian regulators and US antitrust officials in four different states. And he said that the European Union is starting to take an interest, though it hasn't opened an official investigation.

"It's going to be very interesting for those four countries where Google has announced that this is going to be initially rolled out in 2026, which are Brazil, Indonesia, Singapore, and Thailand," he said. ®