Google has responded to growing concern over its decision to require identity verification for all Android app developers by September 2026.
The company plans to block sideloaded apps from developers who decline to verify their identity, a move that many view as a threat to both developer privacy and the health of independent app distribution outside the Play Store.
The policy will require developers to submit government-issued identification to Google.
During a video explanation, a Google employee brushed aside questions about anonymity, saying “it’s not clear when anonymity is absolutely required,” and tried to ease fears about data collection by stating “it’s not like Google’s gonna share that information with the public or anything like that.”
The company’s position was outlined across multiple formats, including a blog post, a support page, and a lengthy video featuring Google employees discussing the shift.
However, many concerns, particularly around privacy, decentralization, and the viability of third-party app stores, were left either unaddressed or downplayed.
Google’s messaging implies that the changes are aimed at improving app security.
The company claims identity checks will help weed out malicious actors, especially those distributing malware.
But there is growing unease about the level of control this policy gives Google over the Android ecosystem.
Under the proposed system, Google will have the unilateral authority to determine who is allowed to distribute apps and could effectively block any developer it suspects of wrongdoing, potentially even without a clear or transparent justification.
While the video suggests the focus is currently limited to those linked with malware, nothing in the policy guarantees that future enforcement will not extend further.
Developers flagged in error could lose their ability to share apps entirely, with no clear recourse.
Another point of contention is how this shift could impact projects like F-Droid, which hosts and distributes open-source apps, many of which are not built or signed by the original developer but by F-Droid’s infrastructure.
Google’s video references a “pre-auth token” described as a “cryptographically verifiable blob” that could be used to allow trusted app stores to bypass additional verification calls to Google’s servers.
However, the implementation details are vague, and it is uncertain whether apps built and signed by third parties, like many on F-Droid, will qualify under this system.
Later in the video, Google outlined a scenario where developers with apps on both the Play Store and third-party platforms must prove ownership by uploading an APK signed with their personal key.
This poses a problem for non-reproducible builds, apps compiled and signed by F-Droid rather than the developer, potentially resulting in installation blocks for some of those apps on Android devices.
While F-Droid has made efforts to support reproducible builds and now sees a majority of new apps using this method, a substantial number still depend on F-Droid’s signing keys. That leaves many apps at risk under Google’s proposed enforcement framework.
In addition, Google confirmed that internet connectivity may be required in certain situations just to install an APK, further eroding user control over their own devices.
Despite these significant concerns, Google’s public statements offered little reassurance to developers or users advocating for an open Android ecosystem.
The company stated it is “looking for feedback” and “reviewing all the feedback…on a weekly basis,” but developers and users alike say the dismissive tone of the rollout raises doubts about how seriously that input will be considered.
