Starting in September 2026, Google will require every Android app developer to register with Google, submit government-issued identification, and pay a fee before their apps can be installed on any certified Android device.
This includes apps you sideload. Apps from F-Droid. Apps from Aurora Store. Apps you build yourself.
If the developer hasn’t registered with Google, the app won’t install.
What Google Is Actually Doing
Google announced this policy in August 2025 under the banner of “developer verification.” Here’s what it requires:
For individual developers:
- Android Developer Console account ($25 fee)
- Government-issued identity documents
- Verified phone number linked to a Google payment profile
For organizations:
- All of the above, plus:
- Business registration documents
- Verified website
Timeline:
- March 2026: Verification enrollment opens for all developers
- September 2026: Enforcement begins in Brazil, Indonesia, Singapore, and Thailand
- 2027 and beyond: Global rollout
This applies to all install methods - not just the Play Store. Sideloading, third-party app stores, enterprise distribution - all of it.
The “Advanced Flow” Loophole
After massive backlash from developers, open-source advocates, and organizations like the EFF and F-Droid (who organized 37+ organizations in opposition), Google announced an “advanced flow” in November 2025.
This flow would allow “experienced users” to install unverified apps after navigating through a series of warning screens designed to “resist social engineering.”
Don’t celebrate yet. Critics have pointed out:
- No advanced flow will be available before the September 2026 lockdown
- The flow is designed to be high-friction - multiple warning screens, scary language
- Google controls the definition of “experienced user”
- The average person will never find or navigate this option
- Google can remove or further restrict it at any time
This is not a reversal. It’s a pressure valve to deflect criticism while the core policy moves forward.
Who Gets Hurt
F-Droid
F-Droid is the primary repository for free and open-source Android apps. It’s not on the Play Store. You install it by downloading an APK from their website.
F-Droid distributes hundreds of apps from developers who are anonymous by design - because privacy-respecting software shouldn’t require surrendering your identity to a surveillance corporation. Under the new policy, every one of those developers must register with Google or their apps become uninstallable.
The seven-month window between enrollment opening (March) and enforcement (September) compresses what would normally be a multi-year transition for a project like F-Droid.
NewPipe and YouTube Alternatives
NewPipe lets you watch YouTube without ads, tracking, or a Google account. It’s not on the Play Store for obvious reasons - Google doesn’t want you using YouTube without their surveillance layer. Under the new rules, the NewPipe developers would need to register with Google (the company whose product they’re providing an alternative to) just to let you install their app.
Aurora Store
Aurora Store is a privacy-respecting front-end for downloading Play Store apps without a Google account. Same problem - it exists specifically because people want to avoid Google’s ecosystem, and now it needs Google’s permission to be installed.
Custom ROMs and Power Users
If you build apps for personal use, test pre-release software, or run any kind of development workflow that involves installing APKs - all of it now goes through Google’s verification gate.
Why “Security” Is Not the Real Reason
Google’s stated justification: they found “50 times more malware from internet-sideloaded sources than on apps available through Google Play.”
That statistic is real, and malware from sideloading is a genuine problem - particularly in markets like Brazil and Southeast Asia where financial scam apps are widespread.
But this policy doesn’t just target malware. It targets all software distribution outside Google’s control. The distinction matters:
- Targeted approach: Warn users about unknown sources, improve Play Protect scanning, educate about risks
- What Google chose: Require every developer on Earth to register with Google and submit government ID
This is the digital equivalent of requiring every author to register with Amazon before anyone can read their book. It doesn’t matter if you’re distributing through a library, a bookstore, or handing it to a friend - Amazon gets a veto.
Marc Prud’hommeaux, F-Droid board member and founder of the Keep Android Open movement, estimates 90-95% of Android developers oppose this policy. It’s not about security. It’s about control.
What You Can Do
Short Term: Prepare Now
- Download and back up your APKs - Save copies of F-Droid, NewPipe, Aurora Store, and any other sideloaded apps you rely on before September 2026
- Enable ADB sideloading - ADB (Android Debug Bridge) installs may still work, but require connecting to a computer. Not practical for daily use, but a fallback.
- Stay informed - Follow the Keep Android Open campaign and support the EFF’s opposition
Long Term: Leave Stock Android
The policy only applies to certified Android devices - phones running Google’s version of Android with Google Play Services.
GrapheneOS is the answer.
GrapheneOS is a privacy and security-focused mobile operating system built on Android’s open-source foundation (AOSP), but without Google’s control layer. It runs on Google Pixel hardware (ironically, the most secure Android hardware available) but strips out all Google services.
With GrapheneOS:
- Install any app from any source - no developer verification required
- No Google Play Services tracking your location, contacts, and usage patterns
- Sandboxed Google Play compatibility (optional) - run Play Store apps in isolation if you need them
- Verified boot, hardened memory allocator, and security features that exceed stock Android
- You own your device. Not Google.
Getting Started with GrapheneOS
GrapheneOS installation requires flashing firmware to a Pixel phone. If you’re comfortable with command-line tools, the official installation guide is straightforward.
If you’d rather have help:
I offer hands-on GrapheneOS setup services through Djedi Consulting:
| Service | What You Get | Price |
|---|---|---|
| DIY Guide | Step-by-step written guide with support via secure messaging | $50 |
| Remote Setup | Screen-share guided installation with full app migration | $250 |
| In-Person Setup | I set up your Pixel with GrapheneOS, migrate your apps, and walk you through everything | $400 |
All services include:
- F-Droid and Aurora Store configuration
- Recommended privacy app stack (Signal, Tor Browser, NewPipe, etc.)
- Secure messaging channel for follow-up questions
- No Google account required
The Bigger Picture
Android was marketed as the “open” alternative to Apple’s locked-down iOS. That openness is being dismantled, one policy at a time:
- 2017: Play Protect begins scanning sideloaded apps
- 2023: Play Integrity API lets apps refuse to run on unlocked devices
- 2025: Developer verification announced for all install methods
- 2026: Enforcement begins - unverified apps blocked on certified devices
Each step was framed as a security improvement. Each step moved control further from users to Google. The pattern is clear.
The open-source community saw this coming. That’s why GrapheneOS exists. That’s why F-Droid exists. That’s why projects like /e/OS and LineageOS exist.
Your phone is yours. If the operating system disagrees, replace the operating system.
Resources
- Keep Android Open - Campaign opposing developer verification
- F-Droid Open Letter - 37+ organizations opposing the policy
- GrapheneOS - Privacy-focused mobile OS
- FreeDroidWarn - App that warns about sideloading restrictions
- Privacy 101: Week 1 - Start learning about digital privacy
- Cypherpunk 101 - Hands-on privacy and security course
This is original analysis from Cypherpunk School. We don’t run ads, we don’t track you, and we accept Monero donations if you found this useful.