Android Developer Verification: Threat masquerading as protection

Scope of Google’s Android Developer Verification (ADV)

  • ADV is described as a Play Services / Play Protect component with system-level privileges that will classify apps and developers as “verified” or not.
  • Verified devs must provide government ID, personal details, and register signing keys; ToS lets Google terminate access and label apps as “malware or harmful” without a precise definition.
  • Some say ADV only changes the install flow (warnings + 24h “advanced flow” and developer mode for unverified apps) and does not delete existing apps or block sideloading outright.
  • Others fear it’s a technical and legal foundation for future blocking of F-Droid, ad‑blockers, and politically disfavored apps.

Malware vs. Security vs. Lock‑in

  • One camp calls ADV “malware” or “trojan” because it’s unremovable, deeply privileged, and primarily serves Google’s control interests rather than user security.
  • Another camp objects to that language as misleading fear‑mongering, arguing it’s a (flawed but real) response to large‑scale phishing and banking malware campaigns.
  • Debate over slippery‑slope: some say history shows dire predictions often don’t reach “the bottom”; others counter that many recent “security” moves did erode freedom (e.g., Chrome extension changes, Play Integrity).

EU Law, Antitrust, and Comparisons to Apple

  • Multiple comments question compatibility with the EU Digital Markets Act and Digital Services Act; some have already filed DMA complaints or contacted regulators.
  • Others argue DMA Article 6(4) allows such measures if “strictly necessary” and user‑controllable, and that ADV is partly to comply with EU rulings on openness.
  • Apple is cited both as precedent (“Google is just catching up to Apple’s walled garden”) and as contrast (“Google is retroactively locking down a platform that was sold as open”).

Impact on Users, Developers, and Alternatives

  • Power users stress Android’s appeal was freedom: sideloading, F-Droid, custom ROMs, personal APKs. If that’s eroded, many would rather accept Apple’s more polished but honestly closed ecosystem.
  • Serious concern about centralization risk: a single Google account ban can wipe email, documents, payments, devices; ADV increases that leverage over developers.
  • F-Droid is criticized for inflammatory tone but also defended as correctly highlighting that Google alone will define “harmful.”
  • Strong interest in alternatives:
    • GrapheneOS (Pixel‑only for now, with upcoming Motorola support) seen as the most secure de‑Googled Android; debates over its strict hardware/security requirements.
    • LineageOS, /e/OS, and other AOSP forks discussed, but many note issues with outdated kernels, firmware, and banking / government ID apps that require Play Integrity.
    • Non‑Android Linux phones (Sailfish, Ubuntu Touch, postmarketOS, PureOS, Mobian) are mentioned, but most agree they’re immature, app‑incompatible, and far less secure than modern Android/iOS.

Proposed Responses

  • Practical suggestions include:
    • Switch to GrapheneOS or other de‑Googled ROMs where feasible.
    • Use ADB installs and avoid Play Services where possible.
    • Support petitions (e.g., keepandroidopen.org) and file regulatory complaints, especially in the EU.
    • Pressure banks and governments to support web‑based and hardware‑token authentication instead of App‑Store‑locked ID apps.