Google has published a blog post clarifying its upcoming developer verification requirements for Android, stating new security measures will not eliminate sideloading after receiving pushback from independent app stores like F-Droid.
In the post, titled “Let’s talk security: Answering your top questions about Android developer verification,” the company affirmed its new policies are intended to improve safety rather than restrict user choice. Google reiterated its position that “sideloading is fundamental to Android, and it is not going away.” The system will tie every Android application to a verified developer identity, a move designed to make it more difficult for malicious actors to impersonate developers or distribute malware. The post added, “Our new developer identity requirements are designed to protect users and developers from bad actors, not to limit choice.” Google also specified that developers completing verification will remain free to distribute their applications through any channel, including direct downloads or third-party app stores.
For hobbyist and small-scale creators, Google is introducing a free developer account type. This option allows for app distribution to a limited number of devices without requiring the developer to submit a government ID. The process for these unverified apps requires an end user to share a unique device identifier with the developer. The developer must then enter that specific ID into Google’s developer console. After this step, the developer provides the user with instructions to download the application. This procedure grants Google control over how many devices can install an unverified developer’s app. Any developer wishing to distribute to a broader audience must still undergo full identity verification.
Despite Google’s assurances, the announcement did not address the primary concern raised by the independent app store F-Droid: who will ultimately control developer identities and signing keys. F-Droid pointed out that under the new rules, all Android applications must be associated with a Google-verified developer account, regardless of distribution source. This requirement, F-Droid argues, positions Google as the central authority for the Android app distribution ecosystem, a move that could threaten the existence of alternative platforms.
The open-source project stated it cannot take over app identities on behalf of its open-source contributors. This creates a situation where many community-built applications on F-Droid could disappear if their developers refuse to register for a Google account or cannot complete verification. Consequently, while the ability to sideload an application will technically survive, F-Droid contends the ecosystem of independent app stores that makes the practice useful could be significantly hampered by Google’s centralized control over developer identities and their associated signing keys.
