Google Promised a Way Out of Android Lockdown. We Checked the Code. It Doesn't Exist.

In August 2025 Google announced that they would require developers who publish apps on the Play Store, or anywhere else for that matter, for any Android device, to register their actual identity with Google. If not, the app won't be available to install. Full stop.

What Does This Mean for Developers?

If you distribute an app outside of the Play Store today, you can actually do it anonymously. This is great for hobbyists, researchers, or open source developers of free software. Starting September 2026, this will no longer be possible.

The verification process requires a legal name, address, phone number, email, and in some cases even a government ID. For an organization, you need a DUNS number. What is a DUNS number? A business identifier issued by Dun & Bradstreet, it usually takes up to 30 days to process and it isn't even available in every country. Some consulting firms are already advising developers from unsupported regions to incorporate shell companies in Singapore or the UK just to be able to get a DUNS number so they can keep publishing for the Android system.

For example F-Droid, the open-source app repository, in other words an open-source app store, that has operated outside of Google's ecosystem for over a decade at this point, estimates that about 90% of the developers in their catalog will be unable or unwilling to comply. Marc Prud'hommeaux, F-Droid's lead developer, called the requirement "an existential threat to free software distribution platforms."

The "Keep Android Open" letter, an open letter to Google, was published on February 24, 2026 and signed by 41 organizations including the EFF, Tor Project, Proton, the Free Software Foundation, KDE and European Digital Rights. It pretty much calls Google out over the fact that registration could give Google a single point of control over every app on every certified Android device. Anywhere in the world.

So What Does This Mean for Users?

For most people, nothing changes immediately. If you only install apps from the Play Store, you won't notice anything. The enforcement begins in Brazil, Indonesia, Singapore and Thailand in September 2026. Global rollout can be expected to follow in 2027.

What does in fact change is the architecture of your device. Your phone will now refuse to install software that Google has not approved of through their verification system, regardless of whether you sideloaded the app or not. By the way, sideloading is just another word for installing, just outside of Google's Play Store. This means in the end that the decision about what you can run on your own hardware is no longer completely yours.

For users who sideload apps, like alternative browsers, privacy tools, apps that are unavailable in your region, no matter the purpose of your sideloaded app, you will effectively hit a hard wall. That is the practical effect. Apps from unverified developers won't install. That's not a bug in the implementation. It's the feature.

Google's Concession

The announcement in August 2025 hit hard. The backlash was pretty much immediate. By November 12, 2025, Google posted an update on the Android Developers Blog that looked like a retreat.

They were, they said, building something for power users. An "advanced flow" (that's what Google referred to it as) that would allow experienced users to accept the risks of installing software that isn't verified.

Designed specifically to resist coercion so users couldn't be pressured into bypassing safety checks by scammers. Clear warnings, informed choice, ultimately left in the user's hands.

Google's official support documentation, which still carries this language, describes it this way: "We are building a flow that allows experienced users to proceed with installing an unverified app after going through a series of clear warnings."

That was November 2025. The enforcement deadline is September 2026. So we decided to check what they've actually built. So far.

What the Code Says

We obtained and used JADX to decompile the Google Play Store APK dated February 27, 2026, the latest build as of writing. We searched the seven compiled class files, totaling approximately 50MB of decompiled code, for any implementation of the advanced flow Google announced. All string searches and code traces were verified manually and components were cross-checked for relevance to the developer verification system.

Here is what we found.

The blocking infrastructure is fully built. "AndroidDeveloperVerification" exists as a UI component. "AdiVerificationFailedUiModel", the error dialog that appears when verification fails, exists. "HIGH_RISK_BLOCK" and "HIGH_RISK_WARN" exist as distinct policy states. "INSTALL_ANYWAY" exists as a button label. "AndroidDeveloperVerificationAllowInstallAnyway" exists as a screen. The functionality to stop you from installing an unverified app is present, complete, and ready to be switched on.

Now here is what we searched for and did not find: "advanced_flow". "experienced_user". "power_user" in any verification context. "expert_mode". "bypass_check". "trust_developer". "allow_unverified". "risk_accepted". Every variant we could construct. Zero results.

The one relevant hit was "googlerOverridesCheckbox", an internal override for Google employees. Not for users.

We also examined what the warning flow actually leads to. The "HighRiskWarn" dialog exists, but tracing its outcomes, the "WarningUserDecisionTask" class branches to two possible actions: "UninstallTask" and "HideRemovedAppTask". Enforcement actions. Not permission grants. The "onProtect" callbacks are "onProtectHighRisk", "onProtectMediumRisk", "onProtectSafe", all framed as protection, none as user choice.

Where This Leaves Things

F-Droid's frustration has been documented. They noted publicly that Google "refused repeated requests for concrete information about what form their so-called 'advanced flow' will take." Google has an enforcement system ready to deploy. They have a press release promising a user escape hatch. They did not, as of February 27, 2026, have the escape hatch ready. Nor do we have any indication of when it will arrive.

There are a few possible explanations. The feature is being developed server-side and hasn't landed in the Play Store APK yet. It will ship closer to September 2026. Or it won't ship at all, and Google will quietly reframe the deadline, citing ongoing "design feedback" or some other formulation that sounds like iteration and functions like delay.

Either way, the public record now exists. Google said they were building something. The code indicates they haven't started yet. Enforcement is seven months away.

Android used to mean you owned your device. It still says that in the marketing. The code is starting to tell a different story.

APK analyzed: Google Play Store base.apk, February 27, 2026. All string searches conducted across classes.dex through classes7.dex. Source files available on request.