I recently shipped Kofte, a digital knitting counter. The architecture is as simple as it gets. It uses a local SQLite database and a native Android UI. There are zero network requests written into the application code. In a sane world, I would compile the APK, host it on a server, and let people download it. But software distribution does not work like that anymore.
If you want normal people to use your tools, you have to meet them where they are. That means navigating the walled garden of Google Play.
The open source community will tell you to just publish on F-Droid. I love F-Droid. It is a brilliant repository that actually respects user freedom. But my target audience is not going to enable developer options, ignore three separate Android security warnings, and sideload an alternative app store just to count rows on a sweater. If you build tools for the general public, you are forced into a centralized ecosystem.
That is where absolute privacy purism hits a wall.
The friction starts the moment you upload your Android App Bundle. You might have written a perfectly isolated offline app, but the host operating system is heavily instrumented. Google Play Services hooks into everything. Even if your app lacks the INTERNET permission in its manifest, the Google Play Console will start populating with data. It aggregates install metrics, uninstalls, device models, and Android API levels. If your app throws an unhandled exception, the OS-level ActivityManager catches it and offers the user a prompt to send a crash log back to Google. You get a dashboard full of analytics you never wrote a single line of code to collect.
Then you hit the monetization problem. Kofte operates on a one-time purchase model. To process that transaction without getting banned for bypassing store policies, I am required to bundle the Google Play Billing Library.
This introduces a fascinating technical paradox. My app still does not make direct HTTP requests. Instead, the Billing API uses Android Interface Definition Language (AIDL) to make local Inter-Process Communication (IPC) calls to the Play Store application already running in the background on the device. The Play Store app then acts as a proxy, securely pinging Google servers to verify the cryptographically signed purchase token. The app remains technically offline, but the device is phoning home on its behalf.
This creates a massive blind spot in how independent developers talk about privacy. I see countless landing pages boasting absolute zero data collection. The developers justify this by hiding behind a technicality. They argue that since they did not explicitly import Firebase Analytics or Mixpanel, their app is entirely private. They ignore the massive, invisible data vacuum running underneath their code.
That is intellectual dishonesty. If you market a product based on privacy, you owe your users technical accuracy.
Building a private app on a major platform means accepting a forced compromise. You sacrifice the absolute purity of a true air-gapped binary to gain access to a secure, frictionless distribution channel. The pragmatic approach is to acknowledge this baseline surveillance, explain the mechanics clearly, and draw a hard line at adding any telemetry of your own. You cannot stop the platform from being the platform. You can only refuse to participate in the tracking ecosystem beyond what is strictly mandatory.