About Android Sideloading Apps Policy Changes

I’ve been reading and seeing videos about some Google policy changes that would affect side-loading of apps on Android in the next few years. Doesn’t sound like it’s going to be a positive change for developers or Free and Open Source projects like F-Droid. I’m wondering what others think of the situation and if they’ve come across any interesting work-arounds to keep side-loaded apps on their phones.

@Laura_Michaels :

Hi Laura,

This is outrageous and I´m very concerned about this sad development.
No idea whether there will be any workarounds, and if so, how would they work… ?

I found this reference to the subject here:

Google announced recently that it will be rolling out changes to Android which will prevent users from loading applications onto their phones, unless those applications are distributed through the Google Play Store.

and a statement by f-droid here:

Some key points:

• If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all.

• If you own a computer, you should have the right to run whatever programs you want on it.

• Google is building a choke point that restricts competition and limits user freedom.

• We urge regulators to safeguard the ability of alternative app stores and open-source projects to operate freely, and to protect developers who cannot or will not comply with exclusionary registration schemes and demands for personal information.

• If you are a developer or user who values digital freedom, you can help. Write to your Member of Parliament, Congressperson or other representative, sign petitions in defense of sideloading and software freedom, and contact the European Commission’s Digital Markets Act (DMA) team to express why preserving open distribution matters.

Bleak future ahead of us

Many greetings from Rosika

There was a talk about the situation with mobile devices, FOSS and users freedoms at the Software Freedom Day event, Festa do Software Livre 2025 - dia 2. I fast forwarded to 2:20:30 in from the beginning of the recording to hear it. Thought I’d share in case it’s of interest.

That’s what I was trying to look into, what are the work-arounds? There’s not enough information yet, but it sounds like developers will still be able to install their apps using adb.

There’s going to be one barrier to publishing if Google requires developers to register with them. Some won’t want to do it for privacy reasons. There will be a second barrier if they require developers to pay to be registered as developers instead of offering an option for hobbyists who aren’t making money from their apps. Google will also lose potential apps and developers (and probably some users) for their devices, but doesn’t sound like they care. There are plenty of Android apps out there unlike what happened with Microsoft’s phone platform where they didn’t have enough apps to compete with Apple and Google.

I’m paranoid, but I backed up copies of my apks from my phone to my computer using adb in case they might get erased in future. If they still allow installation by adb, maybe I can reinstall them that way if they get removed.

I’ve read there are some options for 3rd party installation systems that use adb. So, maybe a project like F-Droid can take advantage of that route to install future FOSS Android apps. I have a feeling most FOSS projects are going to wait until the change is implemented before they try to come up with plans on how to deal with it. I’d love to be proactive and try to find some solutions now. I’m trying to update my build current environment, so I can build some FLOSS apps with the NDK myself. Most projects use Java or Kotlin but C and SDL or Raylib or Lua and the Love framework are very nice alternatives which I personally prefer. I always thought it would be cool to find a project that takes programs that work on Linux/BSD/Windows and port them to Android. Termux does some of that for command line programs.

There are some FOSS apps in the Google Play store, so the change won’t completely eliminate Free Software on the Android, but it will definitely cut down on the number of apps accessible and discourage some developers from building for that platform.

@Laura_Michaels :

Hi Laura,

thanks a lot for that insightful additional information.
And thanks for sharing tht youtube-link, including the relavant timestamp.

Seems we may have to wait a bit longer for more information to arrive.

O.K., I just let Duck.ai do a short evaluation of the situation and possible workarounds. It mentioned ADB too, like you did, Laura. So that would at least be one possibility. Let´s hope so.

I´d like to post the findings here, as it provides us with a summary of what´s going on, in case not everybody might want to read through the whole article I provided the link to.
After that there´s the section potential workarounds.

Current Situation on Google’s Policy Changes Affecting Sideloading

Google has announced significant changes that impact how Android developers will distribute their apps, particularly through sideloading methods such as using alternative app stores like F-Droid.
The changes may threaten the future of such platforms and limit users’ options for installing applications.

Overview of Google’s Changes

1. Developer Registration Requirement:

   Starting in late 2025, Google plans to mandate that all Android developers register with Google in order to distribute apps, including those not available on the Google Play Store. This will require developers to provide personal identification and potentially pay a registration fee.

2. Sideloading Limitations: After these changes, sideloading will mainly be possible using the Android Debug Bridge (ADB), which requires technical know-how. Apps from unverified developers will not be installable on standard devices, making it difficult for many users to install applications from sources like F-Droid.

3. Impact on F-Droid and Open Source Apps: F-Droid, a platform that offers free and open-source software (FOSS) is particularly concerned. They argue that Google’s initiative threatens their very existence by forcing developers to comply with restrictive conditions that may not align with the open-source ethos.

4. Identification Requirement: The requirement to submit government-issued ID poses privacy concerns and will likely deter many independent developers from contributing their apps to the ecosystem.

Potential Workarounds for Users

Given these impending restrictions, here are some possible workarounds to keep using sideloaded apps:

1. Use ADB for Installation:
   If you are comfortable using command-line tools, you can sideload apps using ADB. This will be the primary method for installing apps outside Google Play in the future.

2. Custom ROMs:
   Consider using a custom ROM that allows more flexibility with app installations. Some custom ROMs may bypass Google’s verification requirements, though they may require more technical expertise to install.

3. Alternative App Stores:
   Monitor the development of alternative app stores that may emerge in response to Google’s policy changes. There may be platforms that operate with fewer restrictions.

4. Web Apps:
   If applicable, consider using web apps as a temporary solution. Progressive Web Apps (PWAs) can function offline once downloaded, reducing dependency on traditional app installations.

5. Join F-Droid Community Efforts:
   Stay engaged with the F-Droid community or similar forums. They may devise new ways to continue app distribution or alternate methods for maintaining open-source software availability.

Conclusion

In summary, Google’s new policies will significantly impact how apps are distributed on Android, particularly through sideloading methods that many users rely on, especially those using platforms like F-Droid.
If this situation affects your app usage, exploring ADB, custom ROMs, and engaging with community efforts may help mitigate these restrictions.

Many greetings from Rosika

I love the summary. Maybe we can use this thread to keep up with different work-around techniques.

One way to connect with an Android phone is with adb. adb is part of the Android platform-tools: https://developer.android.com/tools/releases/platform-tools It can be downloaded from that page or using sdkmanager. This typically requires agreeing to Google’s licenses. There’s an older version of adb here that can be downloaded directly: dl.google.com/android/repository - platform/tools/google_prebuilts/studio/sdk/remote - Git at Google

Debian has a package to install adb Debian -- Details of package adb in sid It’s also part of the google-android-platform-tools-installer Debian -- Details of package google-android-platform-tools-installer in sid (listed in the non-free repository) which installs everything one needs for Android development except the cross-compilers. I tested this out at one point. Was told by the Debian devs, they don’t want to get into packaging the cross-compilers. Github has various projects with adb or forks of it as well like this one for a static version of adb that compiles with musl: GitHub - kiddlu/adb-static: for linux only, static build adb with musl libc

So step one is to get adb on one’s system. Some ways require accepting licenses and would qualify per Debian as non-free and some alternative builds may or may not be in the non-free category. The license is Apache 2.0, so the code itself should be Free. adb has been built for Linux, Mac and Windows. There were 32 bit versions but I believe Google is only using 64 bit builds at this point. So you’ll need the appropriate build of adb for your hardware/platform.

To connect to an Android phone, you need to enable developer options. This can vary by phone, so you may need to look up how. One method mentioned is to go to settings, go to about and tap the build number seven times. When developer options are available, you can turn on USB debugging in the settings to connect that way or turn on wireless debugging. When you connect, a dialog may come up and you will need to approve connecting before the connection via adb will work. You can use adb with real mobile devices or with an Android simulator (such as Android-x86 running via VirtualBox or Windows Subsystem for Android which is unfortunately deprecated). Many of the Android emulators were typically known to be very slow including options available with qemu and Android Studio.

If using wireless debugging, pair the devices using:

adb pair IP:port

To connect to a device using adb, use the following command:

adb connect IP:port

Whatever technique you use to connect, you may be asked on your devices if you’re sure you want to allow the connection. This has to be allowed before one can continue. You may not need to issue the adb connect command and won’t need to pair the devices if you’re connecting via USB directly.

After connecting, apk files can be installing using:

adb install file.apk

For xapk files (files with the .xapk extension), rename them to .zip. Unzip it to extract what’s in it. (Apk files are basically zip files with another extension.) Use adb to install but list all the files that were unzipped on the command line.

adb install-multiple file1.apk file2.apk

In the examples replace file.apk, file1.apk, file2.apk with the proper names of the apk files you’re attempting to install. Replace IP and port with the correct IP and port numbers.

You can see installed packages via adb using:

adb shell pm list packages

If you add -i, you can see the installer package (whether it’s Google Play store, F-Droid, etc). If you install via adb, this is usually listed as installer=null.

Using the name of the package from the package list, you can get the path where the package is installed with:

adb shell pm path org.package.name

Substitute the package name from the adb list command for org.package.name. Then, take the returned path and use it with the following command to copy an installed package (apk file) to your local system where you’re running adb. Replace package.apk with the name you want to give the package.

adb pull path/to/package package.apk

You can use this technique to back up packages on your phone to your computer if you’re concerned about losing them.

I personally don’t have a problem using Google play store (or the apple version,) but refuse to use Microsoft store. Mainly down to security of apps working virus free but the ms store mainly is to pay for hence I don’t use.

Anyone with Amazon fire are stuck with limited apps on Amazon store not everything is available so did not but their tablet

I worked for Microsoft as a business partner and the sum they offered me to write apps for the store against what they were going to charge was a joke

The worry is if Google introduced a pricing structure. Apple already do. Libre office android Google store free. Apple and Microsoft to pay unless you go direct to the site.

I saw some articles that discussed specifically why F-Droid as it is may have issues with the new Google security changes and also what loopholes will still be available to install the software you want on the device you own. Some of them referred to this article: Android Developers Blog: Let's talk security: Answering your top questions about Android developer verification This looks like it’s direct from the source so hopefully it’s accurate. Some interesting lines in the article:

“Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.”

“We recommend you register. It’s a simple, one-time process that will allow anyone to download and install your app. However, if you prefer not to, we are also introducing a free developer account type that will allow teachers, students, and hobbyists to distribute apps to a limited number of devices without needing to provide a government ID.”

We’ve yet to see if they do create a free developer option and what they are going to require for people to sign up for it. However, it’s interesting that they’ve said you don’t need a government ID. It also doesn’t specify what “limited number of devices” means. Is that too limiting to make it an option for a FLOSS developer? Are they going to need to pay a registration fee just to share their FLOSS apps with others? I really dislike the centralized model this creates because the registration could technically be revoked at any time and for any reason. The chance of human or AI error in revoking the privilege to develop and share apps is far too likely a possibility. Also, developing for Android becomes a privilege not a right as in the Free Software viewpoint.

From what I’ve read, the main issue F-Droid is likely to have is that they build many of the projects themselves and use their own key to sign the apps. If the projects use reproducible builds with the original developer’s key and the developer is registered, then it won’t be an issue with the new Google security changes. I do think this could potentially restrict many projects that are currently distributed through F-Droid in the cases where the developers are not registered and not using their own key. Even if Google began offering a free tier for registration as they propose, I would assume some Free Software advocates would not want to register. One can make their own key. That’s not a big issue. I had looked into distributing some of my apps with F-Droid at one point and found it a bit limiting because their build process seemed to be geared to more standard apps that used Java or Kotlin. Some developers may do it, but I wasn’t able to find an easy way to distribute apps built with the NDK through F-Droid. I don’t believe their build pipeline supported cross-compiler and NDK based builds.

Last point and I found this very interesting:

“Apps installed through enterprise management tools on managed devices will also be installable without being registered.”

This might potentially mean that some FLOSS distribution project could leverage an Enterprise management solution in the future to install apps without needing to go through the registration process. There is an official form to ask for clarifications to the Android developer verification requirements and I asked if it was possible that a FLOSS project could use this technique to distribute apps to FLOSS enthusiasts who are aware of the risks of running FLOSS software, are potentially savvy enough to audit the source code they run on their systems and would prefer to run FLOSS apps over commercial ones. It would be useful to know which Enterprise management tools would be considered exempt and what other restrictions this technique would entail. Technically, it might make a great option for FLOSS distribution if Google was willing to tolerate that. It could also possibly offer a way around losing developers who may not wish to register with a central agency just to create an app.

I’ll end with two more resources. The first is a link to a form from Google asking for feedback from hobbyist developers on the new security and verification procedures they’re implementing. The second is the form for questions or feedback on the new Android verification requirements. I hope to see concerned parties sending feedback to Google using these or other forms and voicing their worries and challenges with the upcoming changes.

The app may be free to download, but technically someone from the project or the packager had to pay a one time registration fee to be a Google official developer. I’ve read about situations where someone who is not part of a FLOSS project repackages the project and puts it on the app store. This can be a negative for official developers as they have no control over the quality of the project or if bug fixes are shared. It could reflect poorly on their project if people just associate the app name with their project and don’t notice who distributed it. Also, some people have repacked free apps and charged users (who weren’t aware it was a Free app) to download the app, effectively making money off of someone else’s hard work. There are some cases where original developers charge for Free apps on mobile devices to make some extra money for their project or developers as well.

It’s nice that LibreOffice is free on Google, but there are other FLOSS projects that aren’t. It’s also nice that Google Play store distributes FLOSS apps right along with commercial ones. However, not all FLOSS developers are going to want to jump through hoops to distribute their software through a store like that. Many of my favorite apps aren’t on Google Play store. They’re typically simple hobbyist apps that perform a task well or provide an entertaining game. They don’t have advertising and commercial interruptions. A lot of that diversity will be wiped out by the upcoming security changes.

The obvious solution is for the Linux community to develop an Android alternative.
Linux already has many of the apps, and they are free and accessible. I feel sure F-Droid would happily pair up with Linux. We also have Android-x86 which could be a reasonable starting point.
There is an opportunity here which Linux should not miss.

Now a far remove from the company they were 21 years ago :

image1200×815 51 KB

the TermUX on Google Play is rubbish - 'cause Google keep pulling the rug out from under developers by changing, seemingly randomly, their APIs…

Power often seems to lead to corruption.
Linux is fortunate to have a benevolent fair-minded leader.