Google named its mobile operating system’s foundation the Android Open Source Project. Open. It is right there in the name.
In January, Google announced that AOSP source code releases will be cut from four times a year to two. Q2 and Q4 only. The stated reason: “platform stability for the ecosystem.” The practical effect: the open source project that powers over 70% of the world’s smartphones just became significantly less open.
This is not an isolated decision. It is the latest in a pattern: Google stopped publishing device-specific source for Pixel phones, scaled back AOSP security patch distribution, and introduced mandatory developer verification covering 95% of Android devices. Each change is individually defensible. Together, they describe a trajectory.
The playbook is familiar#
We have written about this before. Microsoft named its operating system “Windows” and delivered a wall. The pattern is older than either company: use openness to win adoption, then close the gates once the market cannot leave.
Android followed the same arc. In 2008, Android was open because it had to be. Google needed handset manufacturers to adopt a platform with no installed base, no app ecosystem, and no consumer demand. Open source was the answer: manufacturers could customize freely, carriers could pre-load whatever they wanted, and the ecosystem grew because nobody needed permission to participate.
It worked. Android captured the market. Samsung, Xiaomi, Oppo, and hundreds of smaller OEMs built their businesses on AOSP. The app ecosystem exploded. The installed base grew to billions.
And then the closing began.
To be clear: this is not an argument that iOS is better. iOS was never open. Apple does not pretend otherwise. The criticism here is not that Android is less open than its competitor; it is that Android was built on a promise of openness, used that promise to win, and is now quietly revoking it. A product that was never open cannot betray a commitment it never made. A product that won because it was open can.
How openness gets revoked#
Google did not flip a switch. The closing happened in layers.
First, core functionality moved out of AOSP and into proprietary Google Play Services. Maps, messaging, push notifications, the app store itself: each migrated into closed-source services that manufacturers could only access through licensing agreements. An AOSP-only phone without Google Play Services became increasingly unusable for mainstream consumers.
Then came compatibility requirements. Manufacturers who wanted the Play Store had to pass the Compatibility Test Suite, accept the Mobile Application Distribution Agreement, and pre-install a set of Google apps. The open source license said you could fork freely. The business terms said you could fork, but you would lose access to everything that made the product viable.
Now the source releases themselves are being throttled. Twice a year instead of four times. Top-tier partners like Samsung get early private access to platform code. Smaller OEMs, emerging-market manufacturers, and independent projects like LineageOS and GrapheneOS wait for whatever Google decides to publish on its own schedule.
The “open” in AOSP is becoming decorative.
No competitive threat justifies this#
When Elastic, Redis, and HashiCorp changed their licenses, they were responding to a specific provocation: cloud providers reselling their open source work as managed services without contributing back. You can disagree with their response, but the threat was real.
Google has no equivalent threat. Nobody is forking AOSP and out-competing Android. No cloud provider is reselling it as a service. The license has not changed, but the practical access has: privileged partners get months of lead time on source code while everyone else gets delayed, reduced drops. The “open” in open source is a legal fact and a competitive fiction.
This closing is not defensive. It is consolidation after winning.
Developer verification is a gate#
Starting March 2026, Google requires mandatory developer verification covering over 95% of Android devices. Only alternative builds like LineageOS and GrapheneOS are excluded.
Developer verification does not protect users from malware; Google Play Protect already does that. What it creates is a registry of every developer shipping software to Android devices, controlled by Google, revocable by Google.
This is not a security mechanism. It is a permission mechanism. Security mechanisms protect users from threats. Permission mechanisms protect platforms from participants.
What follows from this#
Android’s market share is north of 70%. Google does not need OEM adoption anymore. The ecosystem is locked in, the app store is mandatory, the services are proprietary, the source releases are shrinking, and the developer access is being gated. Each step is small, each step is “for stability” or “for security” or “to simplify development,” and each step moves in one direction.
If your infrastructure depends on something that is open today, ask whether it is open because of a license or because of a business model. Licenses are harder to revoke than access, but business models change faster than terms.
We wrote this about Windows: “When someone offers you a window into a system you cannot inspect, check whether it is actually a wall.” Android’s license has not changed, but its openness has. The window is still there, letting in less light every quarter.
Greg Herbster is the founder of ControlPlane Labs, building open-source infrastructure control planes for DevOps and platform engineering teams. CPLabs is bootstrapped, solo-founded, and committed to the principle that infrastructure you cannot read is infrastructure you cannot trust.