Google's Requirement for Developers to Be Verified Threatens App Store F-Droid
Posted3 months agoActive3 months ago
techdirt.comTechstoryHigh profile
heatednegative
Debate
85/100
AndroidF-DroidGoogleOpen SourcePrivacy
Key topics
Android
F-Droid
Google
Open Source
Privacy
Google's new requirement for developers to be verified threatens the open-source app store F-Droid, sparking concerns about Android's openness and user freedom.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
22m
Peak period
107
0-3h
Avg / period
15.2
Comment distribution152 data points
Loading chart...
Based on 152 loaded comments
Key moments
- 01Story posted
Oct 7, 2025 at 2:51 PM EDT
3 months ago
Step 01 - 02First comment
Oct 7, 2025 at 3:14 PM EDT
22m after posting
Step 02 - 03Peak activity
107 comments in 0-3h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 9, 2025 at 5:11 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45507173Type: storyLast synced: 11/20/2025, 5:54:29 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
edit: fixed spelling
Does the phone last an entire day on a single charge?
With a Librem 5, its 12ish hours on idle, 20 hours on suspend, and 4-5 hours light usage.
If so, I might be able invert my plan: use the Linux phone with phone/5G/useful software most of the time, and a cheap android phone in my bag that only comes out for things that need the monopoly apps and tethers to the useful one occasionally when necessary.
The Fairphone 4/5 supports 5G, but I don't know how stable they are on pmOS/Mobian
Then Nokia N900 with Maemo 5, in 2017-2019 augmented by Samsung Galaxy S3 with LineageOS as a secondary device since N900 was getting unusable for the Web by then.
And finally since 2020 up to now, Librem 5 with PureOS, which removed the need to carry an Android device again.
Anyway, "it is my FOSS project so I can charge people whatever I want." sounds reasonable.
https://sfconservancy.org/blog/2021/mar/25/install-gplv2/ https://sfconservancy.org/blog/2021/jul/23/tivoization-and-t... https://events19.linuxfoundation.org/wp-content/uploads/2017...
Good North America market availability sure would help too. There’s been stuff like Sailfish that seemed interesting in the past but didn’t have easily purchasable devices available in the US, completely precluding development for the platform for a significant number of devs.
The reason this argument isn't holding water and swaying popular opinion, in my opinion, is because everything else in life is heavily regulated, licensed, and restricted.
"It's my car, I should be able to do whatever I want with it!" does not hold, either for driving, or removing the catalytic converter, or changing the tuning to be able to roll coal, or uninstalling the seat belts.
"It's my kitchen, I should be able to do whatever I want with it!" does not hold when I can't sell my baked goods to my neighbors without a license, or replace the interior of my kitchen without a permit.
"It's my home, I should be able to do whatever I want with it!" does not hold when I can't build a deck, add an addition, or even install a new electrical outlet, without permission. Have you ever tried putting something in your front yard?
Unless we agree to fight for freedom everywhere, the only logical excuse is that the digital world doesn't have real world consequences, except that it increasingly patently does now. It's no surprise to me then that the argument does not resonate. That does mean we may have to allow people to have an uncomfortable level of freedom, across the board, in order to be logically consistent, and broaden chance of success.
The technologist sees licensing from Google to develop Android apps as tyranny. The average person asks "where have you been? What can you do without a license?"
I think people should be able to build a deck without state consent. I think people should be able to sell to their neighbors without the health department watching. I think people should be able to start a small business without needing IRS filings at first. I think a small business might need OSHA exceptions across the board for the first few employees. I even think, yes, that allowing some idiots to roll coal is worth more than tightly regulating car repairs and controlling car repair equipment. And I think, to most people, these freedoms matter more than digital sovereignty.
---
Edit, posting too fast, cannot reply directly: In that case, that's a great argument for regulating app distribution, we need to protect people from scam apps. We can't possibly neglect people who don't know better about the risks of sideloading.
I'm sure you wouldn't say, "I just want to do whatever I want with code, while stopping my neighbor from building a dangerous deck," with a straight face, right?
It's cool and all for your neighbors to sell you raw milk until that case of brucellosis and staph kills off the breadwinner in your family and you're caught up for the rest of your life suing a family farm out of existence.
And that deck is great and all, until you go over to your buddies party where you're all drinking and 15 crowd on to that deck that suddenly fails leading to you being a paraplegic.
And small business OSHA exceptions are great until big companies sub out all their work to tiny contractors that end up dying without proper PPE.
And some idiot rolling coal is fine until you're the one trying to figure out how you got lung cancer even though you didn't ever smoke.
Libertarianism is what happen when you don't think in systems.
I think the relevant difference is that it has real-world consequences for other people. And the consequences are likely to scale with the magnitude of the audience, meaning that it is bigger players that should face stiffer regulation. And yes, I think some of the examples you give should also be allowed.
Catalytic converters are there because they reduce the emissions your car produces. Those emissions get out into the air and affect everyone around you, and (over time, potentially) everyone on the planet. Rules around selling baked goods exist to ensure you don't sell bread made with rotten eggs or something that would make people sick. (And there are now "home kitchen" laws in some places that do allow you to do this anyway.) Installing a new electrical outlet has potential fire risks which could affect nearby buildings. Building a deck has potential safety consequences, but I imagine there are many jurisdictions where you can do that without a permit, and even more where you can get away with doing so even though it's technically not allowed.
Me installing a tic-tac-toe game from F-droid doesn't have the same kind of ripple effects on other people. It probably has much smaller such effects than installing a mainstream app like Facebook.
> Unless we agree to fight for freedom everywhere, the only logical excuse is that the digital world doesn't have real world consequences, except that it increasingly patently does now. It's no surprise to me then that the argument does not resonate. That does mean we may have to allow people to have an uncomfortable level of freedom, across the board, in order to be logically consistent.
The bigger you are, the more everything you do affects other people. To my mind the "logically consistent" approach is to impose greater restrictions on almost all sorts of behavior the larger and more powerful the entity performing the behavior. By this logic, it would be Google that is restricted from changing its policy like this, simply because it is big.
Your ability to distribute your app anonymously absolutely meets the definition of real-world consequences for other people.
I personally find it absurd we accept that the government regulates food (people can't detect bad food), and hair cutting (people can't detect inexperienced people with scissors), but the right to anonymous app distribution is sacrosanct, as though food quality is less transparent than app quality. It's not - all of these licenses need to be let go of on the small scale.
Meanwhile I can download anything with confidence on F-Droid, the subject of the article.
The whole "third parties are scary" shtick really does demand evidence.
The butcher says that vegetables is bad for your health, and you should only eat meat.
Google is full of shit.
You can though. No one will stop you from doing either of those things.
> I can't build a deck, add an addition, or even install a new electrical outlet, without permission. Have you ever tried putting something in your front yard?
A deck or addition might draw attention and run afoul of some rule depending on where you live, but a lot of places won't care. If you want to put in an outlet, the world's your oyster. The only real consideration is if you're worried you may do it wrong and may run into insurance denials after a catastrophe or something. You don't actually need anyone's permission. And it's October; I have decorations in my front yard right now. No one was consulted about this.
It's like my air conditioner broke a couple weeks ago, so I ordered a capacitor off amazon and fixed it. I've never touched one of these things before, but the only one stopping you from unscrewing it and going to town is you. If you passed high school you ought to have a basic understanding of how stuff works and be able to do some light reading to make sure you're doing this correctly and safely. LLMs make this even easier.
These phone restrictions, by contrast, would be like if your AC or electrical panel somehow required a licensed professional to activate new parts. Or even more on point, required someone registered with e.g. Carrier (not actually any kind of professional certification; just someone gatekept by a business trying to monopolize things).
It's literally illegal in many US states and countries to do so. In my home state, MN, it is tightly regulated what kinds of "cottage food" you are allowed to sell.
You're confusing ability with legality. Try loading up some food you cooked in your kitchen and selling it out of your car, door-to-door, and watch what happens. This is despite, for most people, judging the health risks of food being wildly easier than the security risks of a sideloaded app.
> These phone restrictions, by contrast, would be like if you AC or electrical panel somehow required a licensed professional to activate new parts.
That already exists in car repair; with key reprogrammers and especially anything engine-tuning being restricted to licensed individuals. Also, good luck messing with your catalytic converter, without the ECU by law detecting it and getting very angry. Take my relative's diesel truck from 2015 - a single failed sensor in the exhaust, and it caps itself as low as 30 MPH.
Ability vs. legality is the point; these things in practice aren't that heavily regulated, licensed, and restricted, and in fact no one will check up on you or try to stop you at all unless you piss someone off by somehow turning it into an annoyance. I don't know why you'd even think to check whether most of the stuff you listed is legal.
Using car restrictions (which are obviously mostly anti-consumer, especially for EVs) as some justification for similar actions in phones is interesting, to say the least.
That's worse, not better. Freedom by definition isn't subject to the whims of my neighbors.
---
Edit, posting too fast, because I can't reply directly: What you are advocating for is a police state. Think about it:
1. Laws should be intentionally overbroad: Make everything illegal, then only enforce when something goes wrong
2. Competence is determined retroactively: You only find out if you were "allowed" to do something after a disaster
3. Rights depend on outcomes: You had the right to wire that outlet... unless it sparked, then retroactively you didn't
4. Selective enforcement is good, actually: Laws that could be used against anyone but usually aren't are fine
This is nonsense.
---
Like I said,
> I'm not in favor of extreme authoritarian laws being on the books at all for their abuse potential
I'm not in favor of that. But obviously a police-state-on-the-books is better than a real-actual-police-state. Duh. Laws that are never enforced that say women can't wear pants or gay relationships are illegal are stupid. I like when legislators do "cleanup" bills to delete invalid laws and keep things tidy. The same laws if they are enforced are oppressive.
In practice I'm not sure that "you can do dangerous things as long as you are competent and are not negligent and don't injure others" is a bad guiding principle? Like yeah if it turns out you were not competent or you were negligent, then we (retroactively) say you should have at least known enough to not do that. Sounds reasonable. Especially if the law is effectively "thing is dangerous. Only people who know what they're doing should do it". It's on you then to know enough to know whether you know what you're doing. If you don't know whether you're competent enough, then I suppose you're not.
It would be better to have that explicitly be the law, but having it be the de facto law works well enough. It's sort of the same "if you know you know" kind of thing, but I guess with a different psychological filter where people are more likely to default to "I don't realize I can do this"? Personally I'd prefer we not infantilize people, so it's better to encourage them to better themselves and learn a skill rather than discouraging them and saying they "can't" do it, but maybe the type of people who allow themselves to be infantilized are exactly the ones you don't want to do it anyway.
There's a lovely grandma in my neighborhood who has been doing exactly this for years. She sells the best tamales around. Just sayin'.
But yes, how viable and/or legal this is depends on where you live.
No, you are. Google's restricting the ability, by decree. Laws restrict the legality, in certain places, by democratic consensus.
Following your rationale, we just actually need the government to step in and regulate that Google cannot do what they want with Android.
Since I live in the EU, that's exactly what I am hoping for.
Anytime similar argument is brought up for Apple, people always say "Their platform, their rules". Isnt that the case here?
My position when Apple was throwing a hissy fit because of EU regulations is that Apple should go fuck itself.
Now, likewise, I hope the EU assrapes Google with fines if they move on with this bullshit.
Why? On what grounds? It hurts upsets a few people?
I, and many others, rely on being able to slideload apps on Androids.
If Google decides to abandon Android tomorrow, or go all in on Windows Mobile OS, is that an "abuse of market dominance"? In reality, private companies are free to make decisions that make sense to them.
There's no law that says things should be "free", or everyone should be "happy" with a companies decision.
Yes.
> In reality, private companies are free to make decisions that make sense to them.
And that's why governments should regulate them very strictly. I fully expect corporations to fuck over consumers if it makes them a couple of bucks.
> There's no law that says things should be "free", or everyone should be "happy" with a companies decision.
Most countries have regulations protecting consumers.
Government crackdown is the scarier thing. It's suspicious seeing both "private" companies locking things down, while at the same time the US govt is increasingly making special threats and deals with big corps, and also Europe is trying to clamp down on encrypted messaging. So yeah the outcry over Android seems justified. Wouldn't be surprised if WEI comes back too.
Apple told users in advance that they would be buying into a walled garden.
Google, on the other hand, fraudulently marketed Android as open.
Fraud is illegal. Walled gardens are not.
I think your lack of reasonable example speaks for itself.
I find this position hard to reconcile.
and followup development is a week old now also
https://news.ycombinator.com/item?id=45428832
Answering questions about Android developer verification (googleblog.com) https://news.ycombinator.com/item?id=45428832 - 3 days ago, 121 comments
General purpose computing has been the backbone of the modern tech economy for decades and has changed our way of life.
Efforts to restrict that such as no longer allowing people to install applications-Google-hasn't-approved on their own devices is only going to benefit Google at the expense of others and cripple future innovation in the software ecosystem for mobile.
yeah "Google has pretty clearly done an extremely bad job" at making competitors obsolete. Intel, Samsung, Nokia, etc. are all tiny companies who had no chance anyway, especially at the time before Android was firmly established as one of two platforms mobile developers bother making software for
Imagine, if you will, an adblocker that could run across not just web pages but all apps, in a privacy-protecting and declarative way. Google has every incentive to simply slow-walk the OS-level support necessary for this kind of system, perhaps citing legitimate security concerns, but certainly not allocating resources towards solving the problem in earnest. And if you hard-fork Android to do this kind of deep work, rather than just maintaining packages or patchsets, you'll be forced to dedicate tremendous resources towards maintaining that fork to keep up with mainline fixes/APIs. (And that's just the tip of the iceberg.)
So it's an incredibly effective chilling effect in practice, quite intentionally so.
OEMs may be forced to do the same, but 3rd party ROMs will not.
I do agree this cuts deeply for F-Droid.
Google are also making that harder, at least for the Pixel line by no longer publishing the device tree as part of AOSP.
I know Fairphone do publish a buildable tree - though it's not yet available for their latest device - does anyone else?
Not sure why you're calling this non-unlockable. Everything is unlockable with enough money.
Maybe we use some hardware-level trick to get to some protected firmware initially to reverse engineer it, but almost universally it's what reads the state of the fuses (or something after it) that actually gets exploited. That's changing, too, but in general very slowly and at at the pace of hardware manufacturers learning how to make software (aka, glacial with a few notable exceptions).
Fairphone wanted to give users full access on the Fairphone 2, but were contractually disallowed if they wanted to also ship the Android Market, Google Maps, etc., which users can't otherwise install themselves so it was essential to pre-install for a normal user experience. That's why they made two OSes for that phone: a googleful one and a free OS based on AOSP that you can install if you don't want Google (https://code.fairphone.com/projects/fairphone-2/fairphone-op...). Nowadays they let the /e/ Foundation do that work with e/OS. They're supportive of it but apparently don't have the internal manpower to continue making and supporting an extra distribution
Originally, device makers who used Android themselves were contractually prohibited from manufacturing devices for any company that forked Android, for instance.
Do we really want a future where 99.9% of people's pocket computers must ask for permission from one of two companies to run something on a device?
If they want to have a closed platform, do what Microsoft did with Xbox and create something new.
If you don't like that, you have to do what they did in the EU and change the law.
Fraud is illegal here today, and Google's marketing was definitely fraudulent, so there is clearly something that can be done about it today.
Sorry man. The EU Cyber Resilience Act is forcing these changes. An operating system is a class 1 important product. A tamper-resistant microchip is a class 2 important product. A device with a secure element is a critical product. Your smartphone has all of these pieces. Manufactures must follow a list of best practices to enjoy a presumption of conformity. That list of best practices is being compiled and made ready for publication, with full effect in 2026/2027. Google knows what is coming. Everyone big knows what’s coming.
True open source with no monetization can get a pass. Everyone else has to do this.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L...
Even RMS needs money once in a while, short of eating bits of his own flesh.. oh wait!
People buying phones by and large do not care in the slightest about "openness". Whether or not their phone supports sideloading is completely and utterly irrelevant to them.
But aside from that, it would be enermously difficult to prove that Google made claims that were unequivocally false while advertising Android. Sure, they made some vague claims about Android being an "open" platform. But they had more than enough well-compensated lawyers on their side to avoid making specific promises about specific functionality that could eventually land them in court.
Finally, even if some of the claims Google made about Android in 2015 no longer hold up in 2025, that in and of itself is not illegal. Google is allowed to change and adapt Android over time as it sees fit. Though you and I may disagree with their findings, they have internally identified systemic security threats caused by unrestricted sideloading, and have created a solution to this real-world problem (however flawed it may be). There is no reason under the current laws of the United States that they should not be allowed to make those changes (aside from perhaps general antitrust law, but that is not enough in this instance as evidenced by the outcome of Epic Games' case against Google). Perhaps they will have to change their advertising going into the future, and they can definitely no longer reuse older advertising materials promoting Android's capability for unrestricted sideloading (if those exist). But just because they advertised Android as having feature X in the past does not mean that they would break the law if they were to remove feature X in the future after they stopped running those old ads.
(Yes, it gets a little blurry in the case of software because it often automatically updates and offers no option to downgrade. But phones don't last forever. In the worst case Google could just wait ~5 years from today to implement Developer Verification.)
Part of the hardware:
- Can be restricted to specific devices
- Must be available under GPLv3, including anti-tivoization provisions (forced bootloader unlock)
- May not attempt to use TPMs, DRM, or other systems to support assertions about client devices
Not part of the hardware:
- May only interact with hardware through public, documented, APIs in the "part of hardware" category
- Using alternatives from competitors must be fully supported
- When made by a company that also makes hardware, must also work on competitors' hardware (at least one, more if technically feasible)
- May be under a proprietary license
- Must not attempt to assert anything regarding the hardware, so things like Google Safteynet are now illegal. Security boundary must be shifted to consider client devices insecure
This is, I think, a good compromise to allow software developers to get paid without taking away ownership of hardware devices. Developers can be paid for "part of the hardware" software with money from selling the hardware, and "not part of the hardware" software can be trivially commercialized under a proprietary license. But, there is no way for a user to end up unable to control their hardware, or incentivized to configure it in a specific way.
Also, things like TPMs, Secure Boot, etc, are good security tools which can be used by an end user to get security guarantees over their device.
I use Secure Boot with Linux because, when done right, it means you can get full disk encryption without gaps (at best, without secure boot, you have an un-encrypted bootloader on a flash drive which decrypts your disk and boots your machine, and this is a clunky setup).
I use GrapheneOS's hardware attestation to alert me if something compromises my android phone's operating system.
Now it's true that these features are abused by companies like Google to force you to run a blessed Android build if you want to use e.g. Google Pay (which is the only mobile payment option in e.g. the UK). But it's important to separate the technology from the bad actors abusing it.
Curious to hear if there are any unintended consequences to this that I may not have thought of. Think of this as a strawman proposal.
Is this legal ownership or technical 0wnership?
https://f-droid.org/2025/09/29/google-developer-registration...
> The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot “take over” the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.
I don't understand the argument.
The other half is suggesting they could offer uploading the apps put into f-droid to the store (under an f-droid account I'd guess) but they immediately discard that option since it would make f-droid the exclusive distributor, taking something from the dev.
I'm considering abandoning Android altogether in favor of a proper Linux device, but GOS is what makes Android usable for me.
https://grapheneos.org/faq#future-devices
If you object to having any business with Google or using their hardware, then no.
https://www.shift.eco (need to somehow get ShiftOS-L variant; the -G variant has Google services on board)
This year I finally moved to iOS. I don’t feel happy about it, but they are now both basically as closed as each other, both are run by what I consider evil corporations.
If you told the teenager me in mid 90s, watching the internet bloom all around me, promising freedom and democratisation of access to knowledge the world over, that one day we would replace the open, standards based, federated, decentralised World Wide Web with two proprietary walled gardens, beholden forever to the whims of two companies, I would have thought you’re nuts.
https://grapheneos.org/
Google/Alphabet's been slowly tightening all sorts of things. Of course "security" is the term bandied around. Of course, I'd say "security" is overloaded - is it security for the user, or security for google AGAINST the user? I think it's the second.
And we also have no valid 3rd party phone platform. In reality, there was Windows Phone, but that was even worse locked down.
There's a few Linux phone projects. Pinephone is an embarrassment and an abject failure. I think the UbuntuPhone is dead as well.
Once they do this, it'll probably be a while before a proper Linux phone hits the market.
I use F-droid since around 2015, install it also for many family members and give them option to use open source alternatives of apps.
Most used apps are from F-Droid, about 20% from Aurora Store. No play services or gaaps at all.
https://docs.google.com/forms/d/e/1FAIpQLSfN3UQeNspQsZCO2ITk...
Hopefully some reasonable people are listening at Google and just need to know that > 5 people use F-Droid.
> https://news.ycombinator.com/item?id=45409794#45411497