Keep Android Open is not another argument about whether random APK sites are risky. It is a fight over who gets final approval when an Android user installs software outside Google Play.
Google says its new Android developer verification requirement adds accountability against malware and scams. Critics say the same system turns Google into a global checkpoint for Android app distribution, including F-Droid apps, hobby projects, private betas, and direct downloads from developers.
The important date is not today. It is September 30, 2026, when Google says apps must be registered by verified developers to be installed and updated on certified Android devices in Brazil, Indonesia, Singapore, and Thailand. Global rollout follows in 2027 and beyond, according to Google’s own developer verification timeline.
If you use Android because you can install apps from outside the Play Store, this is the policy to understand now.
What Keep Android Open is
Keep Android Open is a public campaign opposing Google’s mandatory developer registration plan for Android app distribution. Its open letter is signed by dozens of organizations across free software, digital rights, privacy, and open web communities, including F-Droid, EFF, Proton, Tor Project, VideoLAN, GrapheneOS, LineageOS, KDE, GNOME, FSFE, and BEUC.
The campaign’s core argument is simple: Android was sold as the mobile platform where users could install apps from different sources. If Google can block installation unless a developer has registered identity and package details with Google, Android sideloading becomes permissioned by default.
That does not mean every concern in the campaign should be read as a settled technical fact. Google has since published an advanced flow for installing unregistered apps, plus a limited distribution account for students and hobbyists. The conflict is about whether those exceptions preserve real user choice, or turn it into a high-friction escape route that only power users will ever complete.
What Google’s Android developer verification changes
Google announced the new requirement in August 2025, saying Android had found far more malware from internet-sideloaded sources than from Google Play and needed a stronger way to stop repeat bad actors. In Google’s framing, developer verification is an identity check, not a content review.
The practical requirement is broader than Google Play. Google’s developer documentation says apps in covered regions must be registered to a verified developer to be installed on certified Android devices. Developers verify identity, register package names, and prove app ownership with a signed APK. Organizations may need a D-U-N-S number and website verification; individuals may need to provide government ID.
Google’s March 2026 rollout post adds three details users should know:
- The verification process opened to all developers through Android Developer Console and Play Console.
- Google plans an Android Developer Verifier system service to check whether an app is registered.
- After September 30, 2026, unregistered apps in the first four countries will require ADB or Google’s new advanced flow.
That last point is why the policy matters to normal users. This is no longer just a Play Console rule for developers who choose to publish on Google Play. It affects APK sideloading, alternative app stores, and direct developer downloads on certified Android devices.
The 2026 Android sideloading timeline
| Date | What changes | Who is affected |
|---|---|---|
| August 2025 | Google announces Android developer verification | Developers distributing apps on certified Android devices |
| November 2025 | Early access begins for Android Developer Console and Play Console | Early registrants and Play developers |
| March 2026 | Verification opens to all developers | Play and non-Play developers |
| June 2026 | Early access begins for limited distribution accounts | Students, hobbyists, small test groups |
| August 2026 | Limited distribution accounts and advanced flow launch globally | Developers and power users |
| September 30, 2026 | Enforcement begins in Brazil, Indonesia, Singapore, and Thailand | Users installing or updating unregistered apps |
| 2027 and beyond | Google continues global rollout | Certified Android devices worldwide |
Google calls the first September rollout regional. Keep Android Open calls the policy global because Google has already said broader rollout comes in 2027 and beyond. Both statements are true, but they answer different questions.
For users, the near-term impact is highest if you live in Brazil, Indonesia, Singapore, or Thailand, or if you maintain apps for users there. For everyone else, this is a preview of the install rules likely coming to certified Android devices later.
Why F-Droid and open-source developers object
F-Droid’s objection is not that malware should be ignored. It is that F-Droid works through a different trust model.
In its September 2025 response, F-Droid explained that its repository reviews open-source apps, checks for anti-features such as ads or trackers, builds packages from source when possible, and publishes build logs. The project argues that a central Google registration layer does not fit that model because F-Droid cannot force every upstream maintainer to register with Google, and it cannot simply claim all package identifiers for apps it distributes without taking control away from those developers.
That is the concrete risk. If a developer of a small FOSS utility does not register, users in covered regions may need ADB or the advanced flow to install or update that app on certified devices. If enough developers opt out, the catalogue becomes harder to use even if the source code remains online.
EFF makes the civil-liberties version of the same argument. In its analysis of app gatekeeping, EFF warned that identity-based registration can chill developers who need privacy, including journalists, dissidents, researchers, and volunteers building tools for sensitive communities.
That concern is not abstract. A verified developer database creates a new place where app identities, package names, and legal identities meet.
Google’s security case
Google’s strongest argument is that Android users are already being targeted by social engineering, fake banking apps, impersonation, and malware campaigns that push people outside Google Play. In its August 2025 announcement, Google said internet-sideloaded sources had far more malware than apps available through Google Play. In March 2026, it repeated the point with an even higher comparison in a rollout post.
The advanced flow is Google’s answer to the “Android is becoming iOS” criticism. Google says power users will still be able to install software from unverified developers after enabling developer mode, confirming they are not being coached, restarting the phone, waiting through a one-day delay, reauthenticating, and choosing whether the permission lasts seven days or indefinitely.
Google also created a limited distribution account for people who build apps for learning, family, friends, or classrooms. It is free, does not require government ID, and can share apps with up to 20 user-authorized devices.
Those are real concessions. They also show why the argument has shifted from “can Android still sideload?” to “how much friction is acceptable before sideloading stops being practical for regular people?”
What changes for Android sideloading in 2026
Android sideloading still exists, but the trust decision is moving upstream.
Today, you can install from F-Droid, Aptoide, Obtainium, APKMirror, a developer website, or a GitHub release if Android allows that source to install unknown apps. Google Play Protect may scan the app and warn if it finds risk. You can still make the final call.
Under developer verification, the covered-region default changes. If the app is registered to a verified developer, most users should see little difference. If the app is not registered, the normal install path can be blocked unless the user uses ADB or Google’s advanced flow.
That means the source matters more than ever:
- F-Droid remains important for open-source review, but some upstream developers may still refuse Google registration.
- Aptoide and other alternative app stores will need to track which apps are registered and how installs behave in covered regions.
- Obtainium and direct GitHub installs may become harder for users who are not comfortable with ADB or developer settings.
- Google Play Store alternatives still help with discovery, version choice, and regional access, but they cannot ignore the device-level verifier on certified Android devices.
For the current install workflow, use our Android sideloading 2026 safe install guide. For store-by-store differences, start with our Aptoide vs Aurora Store vs F-Droid vs APKMirror comparison and the broader Google Play Store alternatives guide.
The app store choice problem
The sharpest criticism is not that Google wants malware accountability. It is that the verification layer sits above every distribution channel on certified devices.
| Question | Google’s answer | Keep Android Open’s concern |
|---|---|---|
| Is this a Play Store policy? | No. It applies to apps installed on certified Android devices in covered regions. | That makes Google a gatekeeper for non-Play distribution too. |
| Does Google review app content? | Google says it verifies developer identity, not app content. | Identity control can still block anonymous, small, or politically sensitive developers. |
| Can users still install unregistered apps? | Yes, through ADB or the advanced flow. | The advanced flow adds enough friction that most users will not use it. |
| Are hobbyists covered? | Google has a free limited distribution account for up to 20 authorized devices. | Twenty devices does not cover public open-source distribution. |
| Does this improve security? | Google says it deters repeat malware operators. | Critics say Play Protect and transparent build systems already address risk without central identity registration. |
We do not think Android users should pretend APK risk is fake. It is not. Clone apps, fake banking apps, modded APKs, and deceptive download pages are real problems.
But user protection and app store choice are not the same thing. A rule can reduce one class of scam while also narrowing who can publish software that ordinary Android users can install. That trade-off deserves scrutiny before it becomes the default around the world.
What users should do now
If you only install apps from Google Play, nothing changes immediately. Your Google Play apps are likely already connected to verified Play Console developers.
If you use apps from outside Google Play, take an inventory now. Note which apps come from F-Droid, Aptoide, APKMirror, GitHub, direct developer APKs, or private workplace channels. Make sure each one has a clear update path.
If you rely on F-Droid, keep it installed and updated. The Keep Android Open campaign specifically asks users to install and use alternative stores because they only survive if real users keep them in the loop.
If you are a developer, read Google’s developer verification guide and decide whether full distribution, Play Console registration, or limited distribution fits your app. If you maintain open-source apps anonymously or for a sensitive community, read F-Droid’s position before handing identity data to any centralized account system.
If you are in Brazil, Indonesia, Singapore, or Thailand, treat September 30, 2026 as the practical deadline. Apps that are not registered by then may still be installable, but the install path will be more technical.
The bottom line
Keep Android Open is right about the stakes: this is one of the biggest Android app distribution changes since sideloading became normal on smartphones.
Google is also right that sideloaded malware and scam-driven installs are real. The weak point is the remedy. A global developer identity checkpoint can become more than a malware defense, especially when it applies outside Google Play and connects app identifiers to verified real-world identities.
The best outcome is not “no checks at all.” It is a system where users can choose verified stores, open-source repositories, direct developer channels, and expert install paths without turning every public Android app into a Google-registered artifact.
That is why this fight matters. Android’s value is not only the Play Store. It is the ability to leave it.
FAQ
What is Keep Android Open?
Keep Android Open is a campaign opposing Google’s mandatory Android developer verification requirement for apps installed outside and inside Google Play. It argues that the rule turns Google into a central gatekeeper for Android app distribution, including F-Droid, independent developers, and direct APK downloads.
What is Android developer verification?
Android developer verification is Google’s new requirement that apps be registered to developers with verified identities before normal installation on certified Android devices in covered regions. Google says the policy is meant to reduce malware and repeat abuse from anonymous bad actors.
Will Android sideloading stop working in 2026?
Sideloading will not disappear completely. Google’s official plan says unregistered apps can still be installed with ADB or an advanced flow, but the normal install path changes in covered regions starting September 30, 2026. The debate is whether that extra friction is acceptable for regular users.
Which countries are affected first?
Google says enforcement starts in Brazil, Indonesia, Singapore, and Thailand on September 30, 2026. It plans to continue global rollout in 2027 and beyond.
Does this affect F-Droid?
Yes, potentially. F-Droid can still exist as an app repository, but apps distributed through it may need their upstream developers to register with Google for normal installation on certified devices in covered regions. F-Droid says that requirement threatens how open-source Android distribution works.
What should Android users install now?
Keep using Google Play for apps where it is the right source, but do not make it your only option. Install and learn reputable alternatives such as F-Droid, Aptoide, Aurora Store, and Obtainium before you urgently need them, then follow a verified sideloading workflow when installing APKs outside Play.
