DISCLOSURE: This article contains affiliate links. If you purchase through these links we may receive a small commission at no additional cost to you. This helps us keep the site free and independent. Our opinions remain unbiased.

Starting September 2026, distributing an Android app outside of Google Play could require Google’s blessing. The company has announced a new policy mandating that all developers, including those who publish through their own websites, third-party stores like F-Droid, or direct downloads, register with Google, pay a $25 fee, submit government-issued ID, and cryptographically link their apps to their verified identity. Apps that don’t go through this process will be blocked from installing on certified Android devices.

The #KeepAndroidOpen campaign, spearheaded by F-Droid and backed by 41 organizations including the Electronic Frontier Foundation, Free Software Foundation, Tor Project, Proton, Vivaldi, KDE, Nextcloud, Fastmail, and Tuta, has published an open letter addressed to Sundar Pichai, Larry Page, and Sergey Brin demanding the policy be withdrawn.

What the new policy requires

Until now, Android worked differently from iOS: anyone could build an app and distribute it however they wanted. Google’s verification only applied to Play Store listings.

That changes under the new framework. Every developer will need to create an account in Google’s new console, agree to its terms of service, complete identity verification with a government ID, and submit the cryptographic fingerprint of their signing key. Developers with an existing Play Console account can extend it, but those who have always distributed independently will have to start from scratch.

Enforcement begins in September 2026 in Brazil, Indonesia, Singapore, and Thailand, with a global rollout to follow.

Why 41 organizations object

The signatories raise several concrete concerns. Android already has working security mechanisms that don’t require centralized registration: app sandboxing, permission controls, sideloading warnings, developer signing certificates, and Google Play Protect.

There’s also the contradiction of forcing privacy-focused developers to hand over personal documents and government ID to Google as a condition for distributing their software. The letter also flags the risk of arbitrary enforcement, given Google’s track record of opaque and hard-to-appeal decisions on the Play Store.

On the competition front, the policy gives Google visibility into all Android development happening outside its own ecosystem: what’s being built, by whom, and how it’s distributed. That’s a significant intelligence advantage for a company that directly competes with many services on its own platform.

The F-Droid problem

The most difficult situation involves F-Droid, the main open-source app repository for Android. F-Droid builds apps directly from source code using its own signing keys, a process that ensures transparency but creates a technical conflict with Google’s verification system, which requires a match between app and original developer identity.

If independent developers decide the added bureaucracy isn’t worth the effort, the available catalog could shrink dramatically. Community estimates from the F-Droid forums suggest up to 85% of apps distributed through the store could end up in limbo.

What about alternative operating systems?

According to The Register and confirmed in community forums, operating systems like GrapheneOS, LineageOS, and /e/OS should not be directly affected, since they are not “Google-certified” devices and the restrictions don’t apply to them.

The indirect impact, however, is real. If fewer developers bother distributing outside the Play Store, the pool of available apps shrinks for everyone, including users of these alternative systems. The issue isn’t technical but practical: less independent distribution means less choice across the board.

Beyond security

Google frames the policy as a security measure. The open letter signatories see it differently: Android has operated under an open model for seventeen years, and no evidence has been presented that existing protections are inadequate. The timing also coincides with increased regulatory scrutiny, including the European Commission’s Digital Markets Act investigation and the US Department of Justice’s antitrust proceedings.

For those looking to reduce their dependence on Google, there are solid options that don’t require a single company’s approval to function. For email, services like Proton Mail, Tuta, or Fastmail offer privacy-respecting alternatives. For DNS filtering, AdGuard DNS or NextDNS block tracking and ads without going through Google. And for cloud storage, European solutions like Infomaniak kDrive or Proton Drive provide viable options for anyone looking to move away from the usual names.