This post is based on my own research across Google’s official documentation, statements from the open-source community, and independent technical analysis. I’m not a developer or a lawyer. The situation is still developing, and I’d encourage you to read the primary sources — all linked throughout — and form your own view.
For the broader picture of how Big Tech operates and what it costs you in privacy, read our post on Big Tech companies in Australia.
This one has been sitting in my drafts for a while. I’ve been watching this story develop since Google first announced it in August 2025 and wanted to make sure I had a solid picture before publishing. Here’s my honest take: this is one of the most significant shifts in smartphone freedom I’ve seen in years, and most Android users have no idea it’s coming.
Google’s own developer documentation says it plainly: “Starting in September 2026, Android will require all apps to be registered by verified developers in order to be installed on certified Android devices.”
One sentence. That’s the whole story.
Android has always been different from Apple’s iPhone in one genuinely important way: you could install whatever software you wanted on it. Not just apps from Google’s official store — any app, from any source, built by anyone. That openness is what allowed privacy-focused apps to flourish, what allowed open-source stores to exist, and what made Android genuinely different from the walled garden Apple built. Google is now moving to end that. At least on the 95-plus per cent of Android devices that run Google’s certified software.
Before we go any further, a quick translation of the terms you’ll hear thrown around in this conversation.
APK stands for Android Package Kit. It’s the file format Android uses to install apps — think of it like a .exe file on Windows. It’s the actual program file that lands on your phone when you install something. Every app you’ve ever downloaded, from anywhere, arrived as an APK.
Sideloading means installing one of these APK files from a source other than the Google Play Store — directly from a developer’s website, from a community repository, from an alternative app store, or from a file you’ve downloaded yourself. Android has always allowed this. It’s one of the things that made Android genuinely open compared to Apple.
Open-source apps are apps whose code is publicly available for anyone to read, audit, and verify. You don’t have to trust the developer’s word that the app doesn’t spy on you — you can look at the code yourself, or rely on others in the community who have. Many of the best privacy tools in the world are open-source.
Sideloading Apps is how open-source app stores work. It’s how the apps we install on every FreedomTech device reach your phone. And it’s what Google is now putting conditions on.
Under the new policy, every app installed on a certified Android device must come from a developer who has registered with Google and verified their identity. That covers not just the Play Store — it covers every app, from every source. Sideloading apps, downloading directly from a developer’s website, installing from alternative stores — all of it requires a verified developer from September 2026.
To register, developers must go through Google’s Android Developer Console and hand over their legal name, home address, email address, and phone number. In most cases they’ll also need to upload a government-issued ID. Organisations need a D-U-N-S number on top of that — a business identifier from Dun & Bradstreet that can take up to 30 business days to obtain.
There’s a free tier called Limited Distribution for students and hobbyists that skips the government ID requirement and allows distributing apps to up to 20 devices. The paid Full Distribution tier costs US$25 as a one-time fee and requires full identity verification.
The enforcement begins September 2026 in Brazil, Indonesia, Singapore, and Thailand. Global rollout follows in 2027.
F-Droid has been the gold standard for open-source app distribution on Android for over 15 years. It hosts around 5,000 apps — all open-source, all reviewed for privacy compliance before they’re listed. If you’re running a FreedomTech deGoogled phone, F-Droid is your primary app store. Every app in its catalogue is publicly auditable. That’s not a marketing claim — it’s technically verifiable by anyone with the time to look.
The problem F-Droid faces under this policy is structural, and it has no clean answer on certified Android devices.
F-Droid doesn’t just host apps — it takes open-source code, reviews it, compiles it, and distributes it signed with F-Droid’s own cryptographic key. Not the original developer’s key. Google’s new system wants each app tied to one verified developer identity. As the New Stack reported in a March 2026 interview with F-Droid board member Marc Prud’hommeaux: Google wants only one signature per app, which “all of a sudden breaks all those versions of the application distributed through F-Droid or any other app store.”
F-Droid has two options, both impossible. Compel thousands of anonymous volunteer developers — many of whom are anonymous for good reason, many of whom will simply say no — to hand their personal identity documents to Google. Or register all apps under F-Droid’s own identity, claiming ownership over code it didn’t write.
F-Droid’s own position, stated in their September 2025 response and reaffirmed in the February 2026 open letter signed by 56 organisations worldwide, is that this policy as written ends the F-Droid project on certified Android devices. That’s not hyperbole. That’s their assessment of their own situation.
Aurora Store lets you download Play Store apps without a Google account. Because it distributes apps whose developers are already Play Store verified, most apps through Aurora Store will likely continue working. However, Aurora Store itself is an unverified app — and Aurora Store has confirmed it will not register with Google. That means getting Aurora Store onto a certified device from September 2026 may itself require jumping through the advanced flow (more on that below). Follow auroraoss.com for their official position.
APKMirror hosts official APKs verified by their original cryptographic signatures — largely Play Store apps distributed directly. Most apps here come from developers already verified through Play Console, so they should generally continue to work. Apps from unverified developers will still be affected.
APKPure distributes both Play Store and non-Play Store apps. According to WebProNews, APKPure is bolstering its own security frameworks in response to the changes. Apps from unverified developers in its catalogue will still face the same restrictions as any other unverified APK on certified devices.
Accrescent is the privacy-focused alternative store best positioned to survive this. Unlike F-Droid, it lets developers sign their own apps with their own keys — which means the app identity stays tied to the original developer rather than re-signing through a third party. Accrescent has already registered with Google’s verification program and has stated it will continue operating on certified devices from September 2026.
Worth noting for GrapheneOS users specifically: Accrescent comes from within the GrapheneOS community and the two projects actively collaborate. It is available directly through the GrapheneOS App Store — in fact that’s the recommended way to install it if you’re on GrapheneOS. It sits alongside F-Droid as one of the main app sources on your FreedomTech device.
Also keep an eye on their blog for updates on how they handle unverified apps in their catalogue.
After the initial backlash, Google announced that power users would be able to install unverified apps through what it’s calling an “advanced flow.” On March 19, 2026, Google published the details. The Keep Android Open campaign has documented the full process. Have a read and decide for yourself whether this is a genuine solution or deliberate friction designed to discourage most people from bothering:
1. Tap the build number in About Phone seven times to enable Developer Mode.
2. Open Developer Options. Find “Allow Unverified Packages.”
3. Flip the toggle. Confirm you’re not being coerced.
4. Enter your PIN.
5. Restart your device.
6. Wait 24 hours. Yes, really.
7. Return to the unverified packages menu.
8. Scroll past more warning screens. Choose “Allow temporarily” (7 days) or “Allow indefinitely.”
9. Confirm again on a final warning screen.
10. You can now install unverified apps.
Ten steps. A mandatory 24-hour delay. Multiple warning screens engineered to make you feel like you’re doing something dangerous. And a 7-day expiry if you chose the temporary option, meaning you get to do it all again.
Here’s the part that should concern you most: the entire flow runs through Google Play Services — not the Android operating system itself. That means Google can change it, restrict it, or remove it entirely at any time without updating your phone’s OS and without asking your permission.
As of this writing, the advanced flow doesn’t exist in any shipping Android software. It’s a blog post and some mockup screenshots. The Keep Android Open campaign puts it bluntly: “The community is being asked to accept a product announcement as a functional safeguard five months before the mandate takes effect.”
This is what I tell every FreedomTech customer who’s asked me about this. Based on It’s FOSS, the Keep Android Open campaign, Reclaim the Net, the Consumer Rights Wiki, and the GrapheneOS community forums themselves: GrapheneOS, CalyxOS, LineageOS, and /e/OS are outside the scope of this policy.
The reason is technical and worth understanding. Google enforces this policy through Google Play Services. GrapheneOS deliberately does not include Google Play Services. It is not a certified Android device in Google’s ecosystem. Google’s enforcement mechanism simply isn’t present on the device. The GrapheneOS community forum thread on this topic is titled: “Android Developer Verification: Are we screwed? (no, doesn’t apply to GOS).” That’s a pretty clear answer.
If you’re running a FreedomTech deGoogled phone on GrapheneOS, you can continue to use F-droid, Aurora Store, Accrescent, and direct APK installs exactly as you do today. Nothing changes for you.
One more thing worth mentioning: in March 2026, Motorola and the GrapheneOS Foundation announced a partnership to engineer future Motorola devices with GrapheneOS compatibility. For the first time, GrapheneOS is expanding beyond Google Pixel hardware. The project isn’t retreating — it’s growing.
That said, this is a practical exemption based on how Google currently enforces the policy — not a written guarantee. Worth keeping an eye on grapheneos.org for any updates.
Google’s stated reason for all of this is reducing malware. Their August 2025 announcement claims that apps installed from outside the Play Store contain over 50 times more malware than Play Store apps.
I’ll give them this: there is a real malware problem in the Android ecosystem. Scam apps are genuinely hurting people, particularly in markets like Indonesia, Brazil, and Thailand — which, not coincidentally, are the first four countries where enforcement begins. That’s not manufactured.
But the argument has a fairly obvious hole in it. As the Keep Android Open campaign notes, Google’s own Play Store distributed 77 malicious apps that racked up over 19 million downloads. The platform Google is using as a security benchmark has repeatedly hosted the exact malware Google claims to be fighting. Verified identity does not equal safe software.
There’s also a more principled objection. The open letter signed by 56 organisations — including the Electronic Frontier Foundation, Free Software Foundation Europe, Tor Project, Proton, and Vivaldi — argues that Android already has multiple security mechanisms that don’t require handing your government ID to Google. What this policy actually does is give one corporation a chokepoint over every app on every certified Android device on the planet. That’s a different conversation from malware prevention.
F-Droid’s model — where every line of code is publicly visible and auditable by anyone — arguably provides stronger security assurance than a name and a passport scan. A verified developer can still ship malware. An open-source app on F-Droid cannot hide what it does.
FreedomTech customers on GrapheneOS: Not affected. F-Droid, Aurora Store, Accrescent, and direct APK installs all continue working as normal. Nothing changes.
Standard Android users who use F-Droid: F-Droid will be significantly restricted on certified devices from September 2026 in the first four countries, and globally from 2027, unless the open-source community finds a technical solution or regulators intervene.
Standard Android users who use Aurora Store: Apps from verified Play Store developers will likely continue working. Getting Aurora Store itself onto a certified device may require the advanced flow. Follow auroraoss.com for updates.
Users who download APKs from APKMirror: Apps signed by their original verified developers should generally continue to work. Apps from unverified developers will be blocked.
Accrescent users: Best positioned of the alternative stores. Has already registered. Monitor their blog (blog.accrescent.app) for details.
Developers distributing outside the Play Store: Must register or their apps will be blocked from September 2026. Many open-source developers are refusing to register on principle. The Keep Android Open campaign has specific guidance for developers.
This is the thing that should sit with you. Android launched as an open platform. The ability to sideload apps — to install whatever software you chose, from whatever source you trusted — was a genuine competitive advantage over Apple and a genuine promise to users.. That promise is being walked back.
As It’s FOSS put it: “Centralising all app distribution under Google’s registration system hands one corporation the ability to cut off any app on any certified Android device globally. That kind of consolidated authority over a platform used by billions of people is unsettling.”
I agree with that. And I’d add one more thing: this policy means that a government anywhere in the world can now ask Google to deregister a developer and that app disappears from over three billion phones. Not just from the Play Store. From everywhere. Think about what that means for journalists, activists, whistleblowers, and ordinary people who rely on apps that powerful institutions would rather not exist.
If you’re in Australia or New Zealand and want to raise this with regulators, the Keep Android Open campaign has specific contacts listed. In Australia: file a report with the ACCC at [email protected]. In New Zealand: contact the Commerce Commission at [email protected]. You can also give Google direct feedback via their Android verification feedback form. Whether it changes anything is another question.
Registration opened to all developers in March 2026. Enforcement — apps actually being blocked — begins September 2026 in Brazil, Indonesia, Singapore, and Thailand. Global rollout follows from 2027. Nothing is being blocked on devices yet.
On a standard certified Android phone: yes, this is the direction things are heading from September 2026 in the first four countries and globally in 2027. On GrapheneOS: no. F-Droid continues to work exactly as it does today because the policy doesn’t apply to non-certified devices.
There isn’t one. Every app you install on Android is an APK — it’s just the file format. The distinction is where the APK comes from: the Play Store, or somewhere else. Sideloading apps just means installing from somewhere other than Google’s official store. Up until now, Android has always allowed it freely.
CalyxOS is also a custom build outside Google’s certified ecosystem and should be similarly unaffected. Monitor the CalyxOS project directly for their official position.
Google’s official documentation · F-Droid’s open letter · Keep Android Open · Consumer Rights Wiki · GrapheneOS forums · It’s FOSS analysis
The most reliable answer to this — not as a workaround but as a permanent structural solution — is a deGoogled phone running GrapheneOS. It removes Google’s enforcement mechanism entirely. There’s no 10-step process, no 24-hour waiting period, no risk that Google quietly removes your ability to install open-source apps through a Play Services update you didn’t ask for and can’t refuse.
That’s what we build and supply at Freedom Technology and Services. Every phone we sell is a Google Pixel running GrapheneOS — configured, tested, and ready to use, with F-Droid and your privacy apps already in place.
Questions? Reach us at [email protected] or on Telegram. We’re happy to walk you through it.
