Open Source Android Repository F-Droid Says Google's New Rules Will Shut It Down

F-Droid has warned that Google's upcoming developer verification program will kill the free and open source app repository. Google announced plans several weeks ago to force all Android app developers to register their apps and identity with the company. Apps not validated by Google will not be installable on certified Android devices.

F-Droid says it cannot require developers to register with Google or take over app identifiers to register for them. The site operators say doing so would effectively take over distribution rights from app authors. Google plans to begin testing the verification scheme in the coming weeks and may charge registration fees. Unverified apps will start being blocked next year in Brazil, Indonesia, Singapore, and Thailand before expanding globally in 2027. F-Droid is calling on US and EU regulators to intervene.

I *Hate* to Side With Google, But ...

[machineghost]

I'm loath to side with Google on anything, but if you're going to manage ANY ecosystem, it seems like a pretty reasonable security step to want to know who is behind the software that's being installed on your users' machines.

The only alternative seems to be "let complete strangers, who could be threat actors, provide apps containing potentially malicious code." I can't really fault Google for preventing that.

Re:I *Hate* to Side With Google, But ...

[HalAtWork]

You're knowingly side-loading the store and it already warns you about the risk. Apart from that Google Play Protect scans even side-loaded software for malicious code, so you're still protected in a way. Google Play Store is full of malware, so registering with Google apparently doesn't guarantee security. This is just a predatory move.

Re:

[Luthair]

You're talking in absolutes when the real world is shades of grey. Malware is certainly distributed by both Google and Apple through their stores, however if they weren't trying to deal with malware the situation would be far worse.
Maybe they should be taking inspiration from the world of certificates and allow stores to sign establishing a chain of trust. If the store acts as a good citizen in preventing malware then they can continue to operate, if not revoke their signing capability.

Re:

[kurkosdr]

FYI the "certificate chain of trust" is worthless if the users can't add certificates (from developers they trust): Google would still control the entire chain of trust and have the ability to revoke the certificate of any app they deem inconvenient to their profits (for example, SmartTube).

So, this doesn't offer any benefit compared to the system Google has announced, where developers will upload their apk to a Google-controlled server and have it signed by Google (aka "notarized"). Note: Android apks a

Re:

[Toutatis]

Why it must be different than in the Windows ecosystem?
I have programmed multiple programs, compiled then and run their EXEs with no problem.

Re:

[kurkosdr]

Why it must be different than in the Windows ecosystem?

Because Google has turned more evil than Microsoft lately. Microsoft could also block the execution of unsigned executables in the latest Windows version (most Windows executables are signed nowadays, so only retro gamers will notice), but Microsoft isn't that evil.

Re:I *Hate* to Side With Google, But ...

[FireXtol]

The Google Play store is more malware than not. I've never had an issue with software on F-droid. It's the first thing I install on a new phone.

Re: I *Hate* to Side With Google, But ...

[PoopMelon]

When you compare thr state of junk presented on play store versus the open source f-droid where everyone can review the code and it is community driven, fdroid is actually much more secure than google play

Re:

[thegarbz]

where everyone can review the code

While I agree with you in general. F-Droid has the benefit of being small. However we have to stop this meme of "many eyes". Everyone *can* review the code. No one does. This should be obvious from the many high profile security SNAFUs over the past decade in the open source world. Additionally there's zero guarantee any of the binaries delivered through F-Droid are in any way related to the code on github, there's no chain of trust between reviewed code and executed code on your device.

(To be clear I am ag

Re:

[test321]

It isn't a reasonable step for Google in this particular case here because those users specifically decided they wanted to be managed by ANOTHER ecosystem maker, F-DROID, which implements its own security model. The whole point of f-droid being that its security model is VASTLY BETTER than Google's.

Re:

[OrangAsm]

It's a reasonable step for users that want control of their own devices to find another platform (or device). The question is: what is that platform for smart phones? Will it still be possible to install alternate Android builds/port after this dev change?

Re:

[Sloppy]

if you're going to manage ANY ecosystem

The premise is that the customer (the person who owns the computer) has said "No thank you, I would rather that I (and my agent, F-Droid) manage it myself. Your interference is unwanted." That's what the owners are doing when they decide to install F-Droid.

I wonder if convicting some Google employees and everyone above them in the management tree of CFAA, might help remind everyone who is allowed to break whose computers.

Re:

[caseih]

Sorry but I just don't understand where you're coming from. If I go out of my way to install a third party app store, and authorize the phone to allow that app store to download and install things, that's on me. This whole thing smacks of malicious compliance with regulations coming out of the EU and other jurisdictions over their monopoly. This is about greed pure and simple. If they can't get a cut of the revenue from other app stores directly, they'll do it indirectly. Very shady. Plus I have a hunch

Re:

[kurkosdr]

For the billionth time: MacOS prevents users from running "un-notatized" executables by default, but it gives you the option to allow it in the settings. Android soon won't allow that, you must "notarize" the app so others can sideload it. Google is locking down GMS-enabled Android worse than MacOS, with only iOS being worse.

Re:I *Hate* to Side With Google, But ...

[WaffleMonster]

I'm loath to side with Google on anything, but

The only reason to use this language is an attempt to convince the reader you are impartial.

but if you're going to manage ANY ecosystem, it seems like a pretty reasonable security step to want to know who is behind the software that's being installed on your users' machines.

I have no idea who is behind nearly all of the software I run. Do you know who is behind the software you run?

The only alternative seems to be "let complete strangers, who could be threat actors, provide apps containing potentially malicious code." I can't really fault Google for preventing that.

It doesn't matter who writes the code, it only matters what it actually does. Google's own marketplace is full of closed source malware. Apps on F-droid are far more trustworthy than apps on Google's app store. Google Play Services itself is malware.

Re:

[Anonymous Coward]

Google is breaking EU law by making Android a walled garden

Re:

[gweihir]

That is the users' decision. Yes, Google can offer to block the ones not up to their standards, but even a block-by-default that you can turn off is likely a gross violation of (European) anti-trust law.

Incidentally, the identity of who is behind some app does not matter. Basically nobody can derive anything from that. What matters is what history a developer has.

Re:

[thegarbz]

but if you're going to manage ANY ecosystem

Let me stop you right there. Not every ecosystem needs to be managed, and most definitely not by some corporate entity in it for the cash. Google already offer you a managed experience. You already need to acknowledge deviating from this experience when you sideload something.

There's a difference between getting someone to manage something for you, and getting someone to manage something *against* you. Ultimately *YOU* should remain in control over what, how and who does the managing.

Side-loading

[markdavis]

This mostly completely ruins side-loading.

Side-loading was much more than just going around the Play Store, but it was a way to load ANY app you wanted on YOUR phone (like, perhaps, an app you developed yourself). Or maybe an app that Google doesn't want or like us using. It is a huge death-knell for community-developed open-source apps. But, of course, it will slide in place in the name of "security."

Google is now coming full circle to "Apple" mode.

Re:Side-loading

[jenningsthecat]

This mostly completely ruins side-loading.

Side-loading was much more than just going around the Play Store, but it was a way to load ANY app you wanted on YOUR phone (like, perhaps, an app you developed yourself). Or maybe an app that Google doesn't want or like us using. It is a huge death-knell for community-developed open-source apps. But, of course, it will slide in place in the name of "security."

Google is now coming full circle to "Apple" mode.

I'm wondering if LineageOS will remain a way of getting around Google's bullshit.

I'm on Lineage, and I don't have Play or any other Google services installed. Everything on my phone came from F-Droid, from websites hosting APK downloads, or from my own computer via ADB.

I have a Pixel 7a that I plan to wipe so I can install Lineage. If LineageOS goes away, or if I lose access to the apps I'm used to, then when the time comes I'll either get a feature phone, or get a Pinephone and live with its poor battery life and its texting and phone problems. I WILL NOT rejoin the Google ecosystem, and I WILL NOT get a Fruitphone - my wife is on Apple and I hate that damned patronizing, locked-down, curated, excessively prettified bullshit ecosystem.

BTW, fuck Google with a running chainsaw inserted sideways. Google needs to Just. Fucking. Die.

Re:

[markdavis]

>"I'm wondering if LineageOS will remain a way of getting around Google's bullshit. I'm on Lineage, and I don't have Play or any other Google services installed. Everything on my phone came from F-Droid, from websites hosting APK downloads, or from my own computer via ADB."

The main problem with this approach is that most people *MUST* be able to run "official" apps for things like their bank, rent, employer, car, etc, etc. If those are ONLY on the Play Store (which is extremely likely) then you cannot

Re:

[markdavis]

>"The only open left is antt-trust regulatory action. But that isn't likely to happen either."

Sorry, hopefully obvious typos:

"The only option left is anti-trust regulatory action. But that isn't likely to happen either."

Re:

[alucardX]

People need to quit giving in to the idea that in order to use their bank, pay their rent or use a public toilet that they need an app on a handheld computer. This is against basic human rights. You are not a second class citizen if you don't have a corporate identity disc! Refuse to be bullied into this type of thing and stand up for your rights!

Re:

[kurkosdr]

Some governments (for example the UK government) require you to use a smartphone app to access your National Insurance record (with no other option for non-UK citizens), and they also require your relatives to use a smartphone app to acquire an "Electronic Travel Authorization" to enter the UK, even if they are EU-citizens (who have the right to enter as part of the agreement the UK signed so their citizens can travel to EU countries).

How do I know? Because their crappy apps require relatively high versi

Re:

[jenningsthecat]

Some governments (for example the UK government) require you to use a smartphone app to access your National Insurance record (with no other option for non-UK citizens), and they also require your relatives to use a smartphone app to acquire an "Electronic Travel Authorization" to enter the UK, even if they are EU-citizens (who have the right to enter as part of the agreement the UK signed so their citizens can travel to EU countries). How do I know? Because their crappy apps require relatively high versions of Android (Android 10 and Android 12 respectively), and my trusty HTC U11+ is on Android 9, so I looked for an alternative method. Nope. Also, you can't use BlueStacks because the apps need a device with an NFC coil to scan your passport, and most PCs don't have such a thing. You will carry a corporate identity disc to have basic human rights (such as viewing your National Insurance contributions), and it must be relatively new. Eventually, I borrowed a phone that had Android 10.

I guess if this kind of thing ever affects me to any extent, I'll be carrying multiple phones. One for banking only, one for government ID only, and one that I actually use from day to day. The first two will simply be expensive, heavy ID cards that don't fit into my wallet.

Re:

[jenningsthecat]

Refuse to be bullied into this type of thing and stand up for your rights!

Thanks. As you can probably tell, I've already done that. :-) My phone's only connection with my bank is that they call me with a code for 2FA when I'm doing banking on my computer. I don't pay for anything with my phone, I don't use Facefuck or Twitt-X, and I view YouTube videos using PipePipe.

Re:

[WaffleMonster]

The main problem with this approach is that most people *MUST* be able to run "official" apps for things like their bank, rent, employer, car, etc, etc. If those are ONLY on the Play Store (which is extremely likely) then you cannot effectively use any Android alternative, unless it offers the Play Store as well. And Google then is in full control again.

There are a number of sites and apps that let you install apps from the play store software without the play store. Some apps have play service dependencies and won't run without solutions like MicroG.

Re:

[bn-7bc]

Huh rent requiers it's own app, sorry whst kind of an od landlorf is thst, don't they justbsend you a standard bill you can pay sa usual in yje app from yourbsnk, you know the one hou would expext to use for banking servise , i must be missing sumething. PS hete in Norway we now get most bills as Eknvoce stright in our banks interface so we don't need to interact with any third party system to actually recieve the bill, is the app ffor rent you talktbabout fhe landlotds coustumer portal?

Re:

[short]

I can run all the apps from 2 countries on LineageOS except for 2 banking apps from Philippines. So I switched bank (from BPI to Landbank) and not using the other banking app (GCash, I can send to GCash from Landbank). It is not so bad.

Re:

[caseih]

Sure if you don't want to use Google Play Services and any of the google apps, then there's no restriction. The moment you do, however, you have to lock down the OS. I'm not exactly sure how this is enforced, but I assume it's part of the Google Play Services or some other Play-delivered part of the operating system.

There will be loads of phones from china that don't have Google Play and would be quite happy with F-Droid or any other form of side loading.

Re:

[kurkosdr]

I'm not exactly sure how this is enforced, but I assume it's part of the Google Play Services or some other Play-delivered part of the operating system.

Google Play Services asks for broad access to your device (just go here: https://play.google.com/store/... [google.com] , click on the arrow next to "About this app", and then click on "View Details" under "Permissions" and see for yourself). And of course, Play Services will refuse to work if it doesn't get every single one of those permissions. And of course, the Play

Re:Side-loading

[kurkosdr]

Remember how they told us they won't lock down sideloading and how allowing sideloading was part of the Android Compatibility Definition?

Re:

[WaffleMonster]

This mostly completely ruins side-loading.

Side-loading was much more than just going around the Play Store, but it was a way to load ANY app you wanted on YOUR phone (like, perhaps, an app you developed yourself). Or maybe an app that Google doesn't want or like us using. It is a huge death-knell for community-developed open-source apps. But, of course, it will slide in place in the name of "security."

The very notion installing software you want to use on your own computer would be called "sideloading" is an obvious attempt at psychological framing.

In addition to rejecting persistent attempts to lock down execution from the corporations the acceptance of terminology which subconsciously lends credibility to the indefensible should also be rejected.

What Google is doing is telling billions of people they will no longer be able to install software they want to use on the handheld computers they own.

And that is why I am switching to IOS soon!

[pngwen]

If I'm going to be forced to wear handcuffs, I am going to have the shiniest handcuffs on the market and that is not Android. I tolerate android because it grants me the freedom to *gasp* run programs of my choosing on a computer that I own. Take that away and the value proposition is gone. iPhone here I come!

Re:

[cen1]

I will seriously consider living in purgatory with one of the Linux phones and their crappy experience instead, no way in hell I am selling my soul to apple after avoiding it all these years.

Re:

[pngwen]

Well if it weren't for the apps shackling me to a certified device, I would just run lineage os and be done with it. Unfortunately, my banking app and my employer's 2FA apps do not work with non-certified devices.

Re:

[OrangAsm]

Perhaps use a 2nd cheap phone for such locked down apps?

Why can't we do what we might do on the desktop - sandbox the shit that must be locked down, or requires Google Play, etc. to a VM/container?

Re:

[jenningsthecat]

If I'm going to be forced to wear handcuffs, I am going to have the shiniest handcuffs on the market and that is not Android. I tolerate android because it grants me the freedom to *gasp* run programs of my choosing on a computer that I own. Take that away and the value proposition is gone. iPhone here I come!

I envy your ability to do that. I just can't stand Apple - I get hives merely accompanying my wife into one of their stores. Like you, I don't want a fucking "ecosystem". I want a phone that's also a pocket computer - one whose applications and update schedule I determine. And I don't want all my personal shit in the Cloud - that stuff is my business, not the business of my fucking hardware provider.

Re:

[pngwen]

I could see this, but the fancy equipment is useless if it doesn't do what I tell it to. I'll be coming off a flagship Samsung to the crappiest iPhone that the market can provide. I'll bank, text, and pay my parking meter with it. What a good little citizen I will be.

Re:

[alucardX]

I'd rather have no phone than suffer through an iPhone or GooglePlay infested phone.

Re:

[serviscope_minor]

Apple's handcuffs are still thicker.

I despise this change, but at least I'll be able to run Firefox with ublock origin for now.

Re:

[berghem]

Yes! And my whole family comes over to Apple alongside me, from grandma down to everyone else.

Re:

[thegarbz]

Talk is cheap. People have been threatening to leave Apple for a decade in the same way, they probably just posted that from their new iPhone 15.

Your post is a nice feel good post, but I am incredibly cynical as to whether you would actually change your entire ecosystem because of this.

Re:

[Vitus Wagner]

No, you cannot. As far as I understand google annoncement, you can load with adb only app with registered uniquie id, and signed with key of developer who registered this id. Even with adb.
So if you are developing apps to distribute via playstore, no problem. You have to pay registration fee anyway, and you have to just one step into your build process - sing APK with our key.
But if you want to sideload somebody else's application, even if it is open source and you compiled it youself, you cannot, unless yo

google trying...

[guygo]

to be Apple.

I've been slowly walking away from Google

[OrangeTide]

I recently replaced all the phones in my household with ones that are supported by GrapheneOS. I'm moving my personal email domain hosting off of Google Workspace services, but unfortunately I'm still stuck on doing Chrome Enterprise until I find a better solution for my mother's laptop management.

Sounds like an illegal monopoly

[gweihir]

I guess a $1B fine from the EU is incoming.

Hopefully a new market opens

[FudRucker]

A market for android smartphones without google having any control over it