App Stores Are a Racket and We All Just Accepted It

Let me say what a lot of people in tech are thinking but won’t put in writing because they work for someone who does business with one of these companies: app stores are one of the most successful long con operations in the history of consumer technology, and they have made both users and developers objectively worse off while extracting billions in the process.

I am not being hyperbolic. Walk through it with me.

They Sold You Safety and Delivered a Marketplace

The original pitch for curated app stores was security and simplicity. One place to go, everything vetted, no need to think about where software comes from. Trust the platform. It was a compelling pitch in 2008. It is embarrassing in 2025.

Planet VPN and X-VPN are both sitting in the Microsoft Store right now. X-VPN has a documented history of logging and selling user data. Planet VPN has been flagged in multiple security analyses for behavior that has no business being on a machine you care about. Both have “verified” badges. Both are one click away from being installed on a family laptop by a kid who just wants to get around a content filter.

That is the real product the storefront is selling you. Not safety. The feeling of safety. There is a difference, and the difference matters when it is your data walking out the door.

The “verified” badge is a liability shield for the platform, not a guarantee for the user. It means someone made an account, uploaded a binary that passed automated scans, and paid whatever fee applies. That is it. The store is not auditing behavior, is not reviewing what the app does with your data at runtime, and is not accountable in any meaningful way when something slips through. Which things do, constantly, at scale.

The Malware Pipeline Is Alive and Well

Security researchers publish findings on malicious Play Store and App Store apps on a near-monthly basis at this point. Fake utilities, cloned banking apps, VPNs that are really data harvesters, “free” tools that are monetizing your traffic or your contacts or your location. The storefronts catch some of it, eventually, usually after researchers go public. By then the damage is done.

This is not an accident of the system. It is a predictable consequence of optimizing a distribution platform for volume and engagement while treating security review as a cost center. The incentive is to get apps listed fast and get users installing. Rigorous review slows that down. So review stays shallow, bad actors adapt to pass shallow review, and the cycle continues.

And here is the part that should make you angry: the platforms know this. They have the data. They know their review processes are inadequate. They keep collecting their 15 to 30 percent cut anyway, and when something catastrophic gets through, they issue a statement about how they take safety seriously and quietly delist the offending app after the fact.

Google Is Playing a Different Game Entirely

I want to spend some time on Google specifically because what they are doing with Android is in a different category of bad.

Google has spent years using security concerns as cover for a coordinated effort to make sideloading functionally impossible for average users. The friction they have added to installing apps outside the Play Store is not incidental. It is engineered. Multiple confirmation dialogs, warnings designed to look like genuine danger alerts, settings buried in menus that vary by device and manufacturer, and in some Android versions, features that literally re-disable the setting after you use it.

The stated justification is malware prevention. The actual effect is platform lock-in. If you cannot easily install software outside the Play Store, you are captive to the Play Store. Every developer who wants to reach Android users has to go through Google. Every transaction Google can route through their billing system, they will. The 30 percent cut does not come free.

The newer developer policy changes have tightened this further. Requirements that push more transactions through Google Play Billing, policies that restrict what apps can even do if they are distributed outside the store, review processes that are opaque and inconsistently applied. Small and independent developers get caught in enforcement sweeps that seem indifferent to context. Apps that have existed for years get delisted without clear explanation. Appeals go nowhere or take months.

Meanwhile the bad actors are still there, because bad actors are motivated to navigate the friction. They have the resources and the incentive to figure out how to pass review. Independent developers who cannot afford a legal team to parse policy documents are the ones getting squeezed.

It is almost like the policies are optimized for something other than safety.

Sideloading Is Not the Problem

The argument against sideloading is that unsophisticated users will install dangerous things. This is true. It is also true of the Play Store and the App Store and the Microsoft Store, as we have established. The difference is that with sideloading, the responsibility is clearly on the user. With a curated storefront, the platform has accepted responsibility and then quietly declined to exercise it while collecting the fee.

I will take honest friction over false safety any day. If installing something outside the official store requires me to acknowledge that I am taking on responsibility for what I install, that is a meaningful and honest interaction. It is more honest than a badge that implies vetting that did not happen.

The push to eliminate sideloading is not about protecting users. It is about protecting market position. Full stop.

What This Has Done to Users

The downstream effect on user competence is genuinely hard to overstate. An entire generation of smartphone users has never had a reason to ask where software comes from, who made it, what it does with their data, or whether the permissions it is requesting make any sense. The storefront absorbed all of those questions and replaced them with a single interface that says “trust us.”

People do not check anymore. They do not know how to check. The platforms did not want them to check, because users who check are users who might say no, and users who say no do not drive install metrics.

So now you have a population of users who treat a verified badge as a security guarantee, who click through permission requests without reading them, who have no mental model of what a VPN actually does but will install one from a stranger in a marketplace because the listing had four stars.

And then something goes wrong, and it is the user’s fault for not being careful, according to the same platforms that spent fifteen years actively engineering the carefulness out of them.

The Fix Nobody Wants to Talk About

Real security in software distribution requires actual accountability. It requires platforms to be liable, in a meaningful legal sense, for what they distribute under a safety guarantee. It requires review processes that are transparent enough to be audited. It requires that the appeal process for developers actually functions. It requires that sideloading remain a viable option so that the store is not the only game in town.

None of that is in the financial interest of the platforms. So we will keep getting press releases about how seriously they take safety, and researchers will keep publishing lists of malicious apps that somehow made it through review, and developers will keep navigating policy mazes that seem designed to extract compliance costs rather than improve security, and users will keep clicking install.

At some point the people building these systems are going to have to answer for what they built. I am not holding my breath, but I am going to keep saying it.