Google Plans to Restrict Installing Apps Outside Google Play to "Experienced Users"

Google recently posted a blog seeking feedback about the Android developer verification program they announced in August. The original plan was to require all app developers to submit to identity verification before their app could run on a "certified Android device" platform, regardless of whether the developer distributed their app on Google Play, via a free and open-source alternative like F-Droid, or on a popular open-source code platform like Codeberg or GitHub.

In their most recent post they appear to roll back the original proposal slightly, stating:

While security is crucial, we’ve also heard from developers and power users who have a higher risk tolerance and want the ability to download unverified apps.
Based on this feedback and our ongoing conversations with the community, we are building a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified.

The company says this "advanced flow" will include clear warnings about the risks of installing apps outside the Play Store and safety checks against potential coercion from scammers.

Many of these statements ring hollow, however, against the reality that Google's own software distribution channels (including Google Play and the Chrome Web Store on desktop) are frequently found to distribute malware, adware, and spyware, sometimes even via apps which have supposedly been verified by Google.

In fact, the most prevalent mobile spyware of our time, Google Play Services, is bundled with the vast majority of apps distributed on the Play Store by design, improperly collecting data and creating security holes in Android security model with its highly privileged design which security-focused Android alternatives like GrapheneOS have to go out of their way to sandbox and fix.

Last September, F-Droid released a statement saying that Google's proposed changes to the Android platform would "end the F-Droid project and other free/open-source app distribution sources as we know them today," and it does not seem likely these proposed changes will change that. Google knows as well as any computer user that their artificially increased friction will stop many people from using alternative app stores: They lost a lawsuit with Epic Games for this very reason.

It seems like Google and Apple are "settling" the issue of no longer being able to legally control which apps get installed on their devices by instead heavily restricting the ways that apps are distributed. It should be clear that this does not hold up as a real solution, and people need to demand a clear line in the sand: that your devices are your own.

As F-Droid rightfully pointed out, Google already has a system (Play Protect) that could prevent malware installations on certified Android devices if Google felt confident in their ability to identify malware.

What Google is proposing is not new in the tech space, Apple has had a similar practice forever on iOS and for years on desktop, which seems to worsen with every new macOS release. However, it may be the most impactful example of this practice yet if implemented.

The rebrand of the user's freedom to install their own apps of their choosing as "sideloading" has been decried for years by free software advocates, who argue that software is fundamentally just information, and no middle-men should be able to block anyone's access to information. Google mandating a verification scheme for developers is just an extension of this Digital Rights Management (DRM) debate that has been ongoing in the United States since 1998.

The truth is that if a "Digital Right" is being granted to you by a tech corporation, then it isn't a right at all.