Marc Prud'hommeaux – FOSDEM26, 1 February 2026
(Personal transcription, prepared with care and affection; but please cross-check against the delivery)
Thank you for coming. I might surprise you based on my technical difficulties I've just had right now. But yeah, I've been developing software since I was a little kid, and I've been developing apps for the iPhone and for Android since 2008, basically since the beginning of when you could do that. And I developed the very first e-book reader for the iPhone. That was known as Stanza. That went on for a while. And then since then, I've done dozens of other apps. More recently, I created a open source tool called skip.dev that helps you develop apps for both iPhone and Android from a single code base. I'm also the founder of the nonprofit App Fair Project, which helps promote and distribute apps universally for both platforms. And I'm also a board member of the F-Droid Project as of last year. So nearly everyone in the world has a little computer in their pocket. There's over 6 billion smartphones around the world. The vast majority of human beings have one. And these devices, they know just about everything about us. They know where we are. They know who we are. They know where we're going. They know what we're interested in, what we like, our media, our movies, and so on. And the question is, who really owns this device? Is this yours? You bought it. It's your property. But do you actually own it in the sense that you have complete control over it, that you have agency?
So how does software get onto a computer? When I first started developing software back in 1982, I had a little Radio Shack TRS-80 that had no persistent storage. So I subscribed to a magazine called the Rainbow Magazine, and they'd send you an issue every month. And in it, they would have printed pages of source code. And so I would sit there and I'd tediously transcribe that source code from my computer, from the pages of the magazine onto the computer, and then hope that you didn't make any typos, because debugging was quite a primitive operation back then. And then you would run it. And this would be little games or graphics demos or things like that. So that was how I really got started in software development. Since then, from that point on, I got a cassette tape peripheral that would let you save and load your program so that it wouldn't disappear when your sister … your computer. And from then on, you moved on to floppy disks, and hard disks, and CD-ROMs, and so on. As we all know, that's all gone. You don't have really physical media ever. Every once in a while, a CD, but it's pretty much gone the way of pretty much everything else from the last millennium.
And the result is that we distribute software over the internet now. And app stores have been the result of that phenomena, where a single organization will collect a number of applications and potentially curate them, and then list them for download and allow you to download them directly to your advice. On mobile platforms, this is far and away the most predominant form of software distribution. In an app store, when you run it on your phone, it's really just an app that installs apps. It's not really doing anything fancy. It's essentially a Gussie Puck downloader. It has some features like search. You might be able to review applications. You might be able to categorize them and browse them. But really all it is, it's an app that installs apps.
As of around the launch of the modern generation of smartphones, you really had two players that rose right around the same time. Apple's iOS, which runs on their iPhone and then subsequent devices like the iPad, and then Google's Android. iOS is exclusive to Apple devices, and Android runs on not only Google's own devices that they did not start out by manufacturing, but on a variety of other manufacturers that they license out the operating system to. Generally speaking, worldwide, Android has about a 75% market share, and iOS more or less takes up the rest. And then you have a very long tail of very small representation of other devices. But for the most part, BlackBerry is gone. Windows Phone is gone. You're left with really two players in this market.
When apps started getting first developed for these devices, when they were first released, there were no app stores. The very first app store was actually just like Cydia, which was developed by Jay Freeman, also known as Sorak, back in 2008. And this was a really nifty little app store. People were blown away. The iPhone came out and it only had a few built-in applications-- a web browser, a calculator, a contacts list, and things like that. But for the first time, this was something that allowed you to browse and download and potentially purchase applications from a variety of sources, from a variety of developers. And it was wildly popular. It had started out with a small catalogue with hundreds of apps, maybe even thousands. It had millions of developers, and it was pretty neat.
It didn't last long, though, because in iOS 2.0, when that came out, Apple introduced their own App Store. And they said that this was going to be the exclusive way of developing and distributing software for their devices. At the same time, they changed the operating system to break all the mechanisms that Cydia was currently using to be able to install their applications. And they essentially froze out that platform. Cydia continued on for a few more years, finding workarounds to be able to continue operating and continue serving their users. But ultimately, if you are fighting against the platform, as you may have heard from the previous talk, you're always going to wind up losing. And the platform vendor is absolutely dedicated to crushing you.
Android, on the other hand, took a different track. They started out by providing APIs for other developers to be able to develop and distribute their own apps. And that actually wound up starting a fairly open ecosystem, a vibrant ecosystem, of a number of different app stores. There were a number of commercial app stores. A couple of the big ones in the West were the Amazon app store, the Samsung Galaxy store worldwide. And there were also some non-commercial ones, F-Droid being a notable one, which I'll describe in a little bit. But it was never really a level playing field. The vast majority of Android devices are Android certified, and that certification process comes with various requirements. One of those requirements was that the Google Play Store be the most prominent, only pre-installed device and prominently displayed on any handset that was Android certified. And that was problematic for competition in that space.
And over the years, these two different gatekeepers, all their policies started to converge and align. You wind up having a system where the Apple App Store and the Play Store have more or less the same sequence of operations you need to go through in order to get your phone onto end devices. Developers need to identify themselves and register centrally. They charge developer fees, some of them annual, some of them one time. There are lengthy terms and conditions that you need to agree to. And these terms and conditions are obviously non-negotiable. And furthermore, they're always changing. They're always changing out from under you. They can come up tomorrow with a new set of terms and conditions. If you don't agree to it right away, you're out of the store. So it's very much a short lease that developers are kept on. Every app that you want to distribute has to be uploaded to their portal. It has to be reviewed by humans, potentially, or some degree of automation or a combination. And then if it's approved, once it's distributed, that same process, you need to go through, again, for every single update that you distribute.
The benefit is that you can reach billions of potential customers. And the entire world is your oyster if you distribute through these stores. The cost is that they take a 30% cut off of the top of any digital sale that goes through any of these applications. And that 30% cut leads to extraordinary profit margins for these business divisions. The Google Play Store, as it came out in the Epic trial last year, makes around 70% profit margin. The Apple App Store makes around 80%. And that is unprecedented in the history of technology. In comparison, AWS makes around 20% to 30% profit margin.
So what's the problem, though? Be thankful for what you have. Feel lucky that you're able to reach these gigantic user spaces, these margins. We here love free software, but we often don't examine why. We don't often say, what is about free software? What problems does it solve? Why do we prefer this over other ways of developing, distributing software? So one hazard that has arisen, especially in recent years, has been that these large profit margins have led to developers seeking alternative monetization routes for their apps. Rather than paying an exorbitant 30% cut to Apple or Google for your app store app, you can seek alternate means of modernization. And that is often through advertisement. An advertisement can provide a direct stream of revenue for the developer, but as a side effect and as additional revenue stream for the people that are providing this ad tech, they provide a stream of data collection from your devices to centralized data brokers that then package them up, resell them throughout the world. This data collection is massive in scale. It can get all sorts of information from all sorts of parts of your devices. If you trust it with your contacts, with your calendar, with your location, with your media libraries, your photos, your camera, it can assemble these gigantic dossiers of people that are extremely valuable to resell.
What does your phone know about you? It has all these sensors. It tracks not only where you are, but where you're going, what your habits are, what your interests are. And it can drive all sorts of secondary information, not just your interests, your religious affiliation, your political allegiances, and so on.
So how do you identify the good apps and the bad apps? Almost all of these are marked as free, not in the sense of free software, but in the sense of it costs your own money to download. How do we identify the good from the bad? And the problem is that you really can't. You have these opaque bundles of binaries that get sent down to your device, and you can't look inside. They are, at the very least, obfuscated. And at the very worst, especially in the case of Apple devices, they are encrypted. And if you are in pretty much any Western country, the law will be adhering to the principles of the United States Digital Millennium Copyright Act, which means a felony to break open these applications and look inside and examine what exactly they're doing. Not everyone has the Digital Millennium Copyright Act, but more or less every Western country has equivalent laws on the books that have followed the precedent.
So free software to the rescue, obviously, right? You can publish the source code and you can publish the app and you can tell people, okay, line these two things up. And you can see we're not doing anything nefarious. We're not sneaking off your information. But can you work with that on a personal basis? Can you just say, as a principle, I'm only ever going to download these applications from these commercial app stores that are sourced from places where they build the software in the open? And you could, in theory, you would have to manually manage that curation yourself, but you would be hard-pressed to actually prove it. Someone can say, “here's the source code that goes into my app,” but how do you actually prove that these opaque blobs match the code that was published online? It’s trivially easy to slip in a little extra thing right before you submit a build that might add in an ad network, a data broker, all sorts of data collection, surreptitiously tracking your personal information. And your claims would be false, but it would not be provable.
That's where F-Droid comes in. How many people here have heard of F-Droid? Oh. I probably don't need to give you all that much background. It started in 2010. It's one of the oldest app stores out there, over 15 years old as of last year, and it's exclusively free and open source software, and it is verified. Either the project itself will build the binaries and distribute them to end users, or it allows the developer to build the binaries themselves and distribute the binary, and then the F-Droid project will validate that by performing a reproducible build of that and checking bit by bit that they're the same. It's essentially impossible to hide anything when it's distributed through F-Droid.
So that's for Android. You might say that we've got Android covered in that respect. So let's hop over to the other side of the duopoly. There's nothing like that for iOS. As I mentioned, all iOS apps are encrypted. There's no open app store APIs. You only have one route to doing it, and you have no means of verifying it. However, the Digital Markets Act popped up fairly recently. It was proposed in 2020. It passed in 2022, and it came into enforcement in March 2024. And that mandates that the digital gatekeepers of online intermediation services, in other words, Apple and Google and their app stores, be able to provide the ability to have competition in the market and open up their APIs to allow alternative app marketplaces. That is what came into effect, and a lot of people thought, “great, we are going to have F-Droid for Apple now, and we can have a single universal source of applications across both sides.”
The problem, as many people know, is that the actual claimed compliance on the side of iOS was the implementation of the alternative app marketplaces. It establishes a lot of rules for the marketplaces themselves. You need to get approval from Apple. You need to be based in the EU. You need to provide a 1 million euro standard business letter of credit. And then you have core technology fees, basically junk fees that are layered on top of it that are applied on a per download basis, even for free applications. For developers, you might think that you could just submit your app directly to these alternative app marketplaces like you can do on Android. No, you still have to do exactly the same thing as if you're distributing your app through the Apple App Store. You need to get approval, you need to pay your fees, you need to agree to the terms and conditions, upload the app, and then wait and hope for approval. And only then is the app processed by Apple and bounced over to the Alternative App Marketplace, which then is permitted to redistribute it to the users of these marketplaces.
The biggest problem is that the exact same restrictions on the closed source marketplace apply to the alternative app marketplaces, which is that the apps are wrapped up in a DRM bundle. They are encrypted. And this not only means that the end user can't see inside the app, it also means that the alternative app marketplace is also unable to look inside the app, which makes it essentially impossible to comply with Apple's own contractual rules for these alternative app marketplaces, which is that they guarantee that any apps they distribute are free of malware. They have that requirement, but they do not offer any possibility that anyone can legally verify these apps, not only by scanning the binaries, but by lining them up with the underlying source code.
So OK, at least we still have Android, though, right? So maybe iOS is a lost cause. Maybe the rules are not going to be enforced for them. But we still have Android. And we did, up until the end of last year. At the end of last year, a lot of you probably heard that Google announced their Google Developer Registration Mandate, which requires that anyone who wants to distribute applications anywhere in the world on an Android-certified device, regardless of what storefront it goes through or whether you're just you know, providing it for direct download from your website, must register centrally with Google. And the rules might sound familiar to you. You have to register centrally, you have to agree to ever-changing terms and conditions, you have to pay a fee, and you have to register each of your applications with Google and in an ongoing way, any new applications, you need to go through them. And this is a gigantic problem for world of free software. All of a sudden, these two marketplaces are starting to really close in and align on all of their policies.
And this is a critical problem for F-Droid, because we can't really require our developers register with Google, especially if we're just reproducing their builds. Many will not. So, it's really an existential crisis for marketplaces like ours that really rely on the freedom and independence of the app developers to be able to distribute their applications
But it's not just about what apps are available, it's also about what applications are not available. The centralization of control should be concerning for everyone, not just free software developers, because you have a lot of perils that come from centralization. You have a lot of examples of how any centralized control can lead to abuse. You saw this in Hong Kong in 2019. You saw this in, you saw this in Russia in 2021, with the fair voting application that got pulled, and you saw it in the US in 2025, when applications that were designed to help people protect themselves from police brutality were unilaterally and extra legally pulled from these app marketplaces at the pressure of the administration. In each of these cases, these were extra legal requirements that gatekeepers wound up complying with, and this had worldwide consequences. And there was no review. There was no accountability. And it's definitely going to continue happening again and again.
So what can we do about this? How can we actually change this? What hope is there? As you probably know, I'm from the United States, so the likelihood of there being meaningful regulation any time in the next few years is extraordinarily unlikely. But policy makers in Europe are actually very receptive to feedback, to communication. I've talked with many of them myself. I frequently consult with Digital Markets Act regulators on how to go about things.
You need to make your voice heard to your policy makers. You need to point out that the only real path to digital sovereignty is through the total disintermediation of centralized control. You really need to be able to make it so that you can get directly to end users without going through one single centralized group.
I started a website called Keep Android Open that focuses on pushing back against the Android developer verification mandate. I encourage people to take a look at that to see points of contact. For developers, I think everyone should consider the promotion of these alternative app marketplaces by developing for them first. If you're an Android developer, consider shipping your app on F-Droid before anything else. And then there's nothing stopping you from also going to a Google Play Store. If you're on iOS, sign up for AllStore and try distributing your application there. These app marketplaces are growing and thriving, but they need more high-quality software, and software developers are the ones that we really need to provide that.
And for everyone, developer, user, policymaker, use these marketplaces. If you do not have them installed on your phone, download F-Droid for your Android phone, download AltStore if you're in the EU or Japan. And use them, see what they have, and who knows, eventually they might be your one and only exclusive source of applications. So my time's up. Thank you very much for coming.
No comments:
Post a Comment