For the past 15 years, F-Droid has provided a safe and secure haven for Android users around the world to find and install free and open source apps. When contrasted with the commercial app stores — of which the Google Play store is the most prominent — the differences are stark: they are hotbeds of spyware and scams, blatantly promoting apps that prey on their users through attempts to monetize their attention and mine their intimate information through any means necessary, including trickery and dark patterns.[^spyware1]
https://f-droid.org/2025/09/04/twif.html [^spyware1]: “Spyware maker caught distributing malicious Android apps for years”: https://techcrunch.com/2025/02/13/spyware-maker-caught-distributing-malicious-android-apps-for-years
F-Droid is different. It distributes apps that have been validated to work for the user’s interests, rather than for the interests of the app’s distributors. The way F-Droid works is simple: when a developer creates an app and hosts the source code publicly somewhere, the F-Droid team reviews it, inspecting it to ensure that it is completely open source and contains no undocumented anti-features such as advertisements or trackers. Once it passes inspection, the F-Droid build service compiles and packages the app to make it ready for distribution. The package is then signed either with F-Droid’s cryptographic key, or, if the build is reproducible[^reproducible], enables distribution using the original developer’s private key. In this way, users can trust that any app distributed through F-Droid is the one that was built from the specified source code and has not been tampered with.
https://f-droid.org/docs/Anti-Features/ [^reproducible]: F-Droid Reproducible Builds Introduction: https://f-droid.org/docs/Reproducible_Builds/
Do you want a weather app that doesn’t transmit your every movement to a shadowy data broker? Or a scheduling assistant that doesn’t siphon your intimate details into an advertisement network[^surveillance-ads]? F-Droid has your back. Just as sunlight is the best disinfectant against corruption, open source is the best defense against software acting against the interests of the user.
https://www.howtogeek.com/884233/your-weather-app-is-spying-on-you-heres-what-to-do/#why-are-weather-apps-such-a-privacy-nightmare [^surveillance-ads]: “Online Behavioral Ads Fuel the Surveillance Industry—Here’s How”: https://www.eff.org/deeplinks/2025/01/online-behavioral-ads-fuel-surveillance-industry-heres-how
Google’s move to break free app distribution
The future of this elegant and proven system was put in jeopardy last month, when Google unilaterally decreed that Android developers everywhere in the world are going to be required to register centrally with Google. In addition to demanding payment of a registration fee and agreement to their (non-negotiable and ever-changing) terms and conditions, Google will also require the uploading of personally identifying documents[^regid], including government ID, by the authors of the software, as well as enumerating all the unique “application identifiers” for every app that is to be distributed by the registered developer.[^regappid]
require all apps to be registered by verified developers in order to be installed by users on certified Android devices.” https://android-developers.googleblog.com/2025/08/elevating-android-security.html [^regid]: Android developer verification: “You will need to provide and verify your personal details, like your legal name, address, email address, and phone number. You may also need to upload official government ID.”: https://developer.android.com/developer-verification#verify-your-identity [^regappid]: Android developer verification: “You’ll need to prove you own your apps by providing your app package name and app signing keys.”: https://developer.android.com/developer-verification#register-your-apps
The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid’s myriad users will be left adrift, with no means to install — or even update their existing installed — applications.
because we don’t track users or have any registration. “No user accounts, by design”: https://f-droid.org/2022/02/28/no-user-accounts-by-design.html
The Security Canard
While directly installing — or “sideloading” — software can be construed as carrying some inherent risk, it is false to claim that centralized app stores are the only safe option for software distribution. Google Play itself has repeatedly hosted malware[^playmal1][^playmal2], proving that corporate gatekeeping doesn’t guarantee user protection. By contrast, F-Droid offers a trustworthy and transparent alternative approach to security: every app is free and open source, the code can be audited by anyone, the build process and logs are public, and reproducible builds ensure that what is published matches the source code exactly. This transparency and accountability provides a stronger basis for trust than closed platforms, while still giving users freedom to choose. Restricting direct app installation not only undermines that choice, it also erodes the diversity and resilience of the open-source ecosystem by consolidating control in the hands of a few corporate players.
came up with; it means “installing software without our permission,” which we used to just call “installing software” (because you don’t need a manufacturer’s permission to install software on your computer).’ — Pluralistic: Darth Android: https://pluralistic.net/2025/09/01/fulu/ [^playmal1]: “224 malicious apps removed from the Google Play Store after ad fraud campaign discovered”: https://www.malwarebytes.com/blog/news/2025/09/224-malicious-apps-removed-from-the-google-play-store-after-ad-fraud-campaign-discovered [^playmal2]: “Malware-ridden apps made it into Google’s Play Store, scored 19 million downloads”: https://www.theregister.com/2025/08/26/apps_android_malware/
Furthermore, Google’s framing that they need to mandate developer registration in order to defend against malware is disingenuous because they already have a remediation mechanism for malware they identify on a device: the Play Protect service that is enabled on all Android Certified devices already scans and disables apps that have been identified as malware, regardless of their provenience. Any perceived risks associated with direct app installation can be mitigated through user education, open-source transparency, and existing security measures without imposing exclusionary registration requirements.
harmful behavior”: https://support.google.com/googleplay/answer/2812853
We do not believe that developer registration is motivated by security. We believe it is about consolidating power and tightening control over a formerly open ecosystem.
The Right to Run
If you own a computer, you should have the right to run whatever programs you want on it. This is just as true with the apps on your Android/iPhone mobile device as it is with the applications on your Linux/Mac/Windows desktop or server. Forcing software creators into a centralized registration scheme in order to publish and distribute their works is as egregious as forcing writers and artists to register with a central authority in order to be able to distribute their creative works. It is an offense to the core principles of free speech and thought that are central to the workings of democratic societies around the world.
By tying application identifiers to personal ID checks and fees, Google is building a choke point that restricts competition and limits user freedom. It must find a solution which preserves user rights, freedom of choice, and a healthy, competitive ecosystem.
What do we propose?
Regulatory and competition authorities should look carefully at Google’s proposed activities, and ensure that policies designed to improve security are not abused to consolidate monopoly control. We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.
If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament, Congressperson[^congressperson] or other representative, sign petitions in defense of sideloading, and contact the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters. By making your voice heard, you help defend not only F-Droid, but the principle that software should remain a commons, accessible and free from unnecessary corporate gatekeeping.
https://www.europarl.europa.eu/meps/en/home [^congressperson]: Find Your Representative https://www.house.gov/representatives/find-your-representative
https://digital-markets-act.ec.europa.eu/contact-dma-team_en