August 2025. Google drops the announcement: starting 2026, all Android apps — including sideloaded ones — must come from verified developers registered through a new Android Developer Console.

The community panicked. Google’s PR machine kicked in. Blog posts, tweets, reassurances. “Sideloading isn’t going anywhere,” they said. Journalists copied and pasted it. Everyone relaxed.

But here’s the trick: Google never actually built the “advanced flow” they promised. It’s not in Android 16 QPR2. Not in QPR3 Beta 2.1. Not in Android 17 Beta 1. It’s vapor.

F-Droid calls Google’s reassurances “clear, concise, and false.”

Here’s the play, step by step:

• $25 fee → Every developer must create an Android Developer Console account and pay Google
• Government ID → Personal accounts need ID verification. Organizations need business registration docs
• Signing key submission → You hand Google evidence of your developer signing credentials
• App identifier disclosure → Google knows about all your current and future apps

If you don’t do this by the deadline → your app cannot be installed on certified Android devices.

Between you and me, this isn’t about “security.” Google Play already hosts scam apps and malware from verified developers. Criminals just buy existing verified accounts. This is about control.

The real casualties:

• F-Droid → Can’t register on behalf of thousands of independent open-source devs
• Obtainium → Same problem, different wrapper
• Small indie devs → The ones who don’t want to hand their passport to Google
• Custom ROM users → Play Integrity already blocks rooted and unlocked bootloader devices
• Privacy-focused users → The entire point was avoiding Google’s ecosystem

From Hacker News and the F-Droid community:

“The promised feature hasn’t appeared in any Android 16 or 17 betas. Google is quietly proceeding with the original lockdown.”

“Any solution that disadvantages F-Droid compared to the less trustworthy Google Play is a problem.”

“It’s my phone.” — the whole argument, in three words

“Many banks now require app-based 2FA, government services use mobile-only apps. Making alternative OS adoption nearly impossible.”

F-Droid’s official position: they’ve added a warning banner to their client apps. IzzyOnDroid and Obtainium are doing the same. They’re asking people to contact their local regulators before it’s too late.

Here’s what nobody’s talking about: the enterprise exception. Apps distributed through your organization’s managed devices skip verification entirely. So corporations get a pass while individual users and hobbyist developers get locked out.

This is the Apple playbook. Google watched Apple charge 30% through a locked gate for 15 years and thought, “Why aren’t we doing that?” Except Google’s version is sneakier — they’re not banning sideloading technically. They’re just making it require Google’s permission. Which is the same thing with extra steps.

The EU might be the only hope here. The Digital Markets Act designates Google as a gatekeeper, and this kind of move is exactly what the DMA was designed to prevent. But regulation moves slow. September 2026 doesn’t.

Most F-Droid users have no idea what’s coming. Here’s what you do: build a tool or Telegram bot that audits someone’s installed F-Droid apps, checks which developers are likely to get verified (and which aren’t), and suggests alternatives or backup APKs before the September deadline.

Charge a small subscription for ongoing monitoring alerts. Think $2-3/month in local currency.

Example: A developer in Jakarta built a Telegram bot in late 2025 that helped Indonesian users back up their sideloaded banking apps before a carrier policy change. He charged 15,000 IDR/month (~$1) and got 4,000 subscribers through local tech forums. That’s $4K/month from a weekend project.

Timeline: Start now → enforcement in Indonesia begins Sep 2026 → you need to be established before the panic hits

The demand for phones that don’t answer to Google is about to spike. GrapheneOS, CalyxOS, LineageOS — these exist, but normies can’t install them. Here’s what you do: offer a remote or local setup service. Flash the phone, install F-Droid, configure everything, hand it back.

Charge $50-150 per device depending on complexity. Target privacy-conscious professionals, journalists, activists.

Example: A guy in Prague started a “privacy phone” service on a local classifieds site in 2025. He buys used Pixels for €120, flashes GrapheneOS, pre-installs a curated app stack, and sells them for €300-350. He moves about 8-10 per month through word of mouth alone. That’s roughly €1,500/month profit from his apartment.

Timeline: Demand curve starts climbing the moment enforcement gets closer → get your process documented and repeatable now

Before the gate closes, smart people will want offline copies of every APK they depend on. Here’s what you do: build a service that lets users create a personal APK vault — versioned, checksummed, stored in their own cloud or local NAS.

Think of it like a personal Wayback Machine but for Android apps. Charge per vault or per-device backup.

Example: A sysadmin in Manila built an Electron app that scrapes a user’s installed app list, downloads matching APKs from APKMirror, and stores them in a structured local archive with hash verification. He listed it on Gumroad for $12. Sold 600+ copies after a single Reddit post about the sideloading ban. That’s $7,200 from one weekend of coding.

Timeline: The window is NOW → once enforcement drops, the APKs get harder to source → build the archive before the wall goes up

Here’s an angle nobody’s exploiting: in-person and virtual workshops teaching people how to switch to custom ROMs, use F-Droid properly, and protect their app ecosystem before Google locks it down.

Target tech-savvy communities, makerspaces, privacy meetups. Charge $15-30 per seat.

Example: A security researcher in São Paulo started running monthly “Liberte Seu Android” workshops at a local hackerspace in early 2026. She charges R$75 (~$15) per seat, caps at 20 people, and has a 3-month waitlist. That’s R$1,500/session, plus she sells pre-configured devices on the side. Brazil is Wave 1 enforcement — the urgency is real.

Timeline: Brazil, Indonesia, Singapore, Thailand hit enforcement in Sep 2026 → start workshops in these countries ASAP while people still have time to prepare

The EU’s Digital Markets Act, Brazil’s competition authority (CADE), India’s CCI — all of them have mechanisms for individuals and organizations to file complaints against gatekeepers. Most people don’t know how. Here’s what you do: create template complaint letters, guide users through the process, offer to file on their behalf.

Monetize through a Patreon/Ko-fi model or charge a flat fee per filing.

Example: A law student in Berlin created a website with pre-filled DMA complaint templates targeting Google’s Android changes. She included step-by-step guides in 6 EU languages. Her Ko-fi brought in €800/month after privacy-focused blogs picked it up. The EU Commission actually cited “volume of individual complaints” as a factor in opening a preliminary investigation.

Timeline: Regulatory pressure works best BEFORE enforcement → file complaints now while there’s still a window to influence policy