I use MPD a lot. It’s a small music player daemon, acting as a server providing modular access via a lot of clients to my local music hosted on my home server. It can directly output sound through the machine’s hardware or also through various other means, like over a network leveraging Pulseaudio’s remote networking features. This is what I use for my desktop machine. My home server outputs the stream directly to my desktop machine. Pretty convenient. Desktop usage is fine, even though one of the best MPD front‑ends, Cantata, is no longer maintained. But today I heard of euphonica. It’s still an early preview version, but in my opinion MPD never had a better-looking front-end!

Frankly, I’m not writing this to promote a desktop application or MPD itself, I am quite happy with it. Desktop usage is fine, but when it comes to mobile, things are different. Using Android/GrapheneOS as my daily driver (together with an old Raspberry Pi 3 serving as MPD proxy for playback through my AV receiver), I need a decent mobile client to control it. And there’s really a lack of those. Back then, MAFA was a massive improvement compared to the outdated M.A.L.P. despite being closed-source. I still decided to use MAFA as my daily driver. Using closed-source applications does make me feel uncomfortable, but sometimes it’s the price you need to pay. Unfortunate, but that’s life.

Recently, the MAFA authors (Indi Software) removed their app from the official Play Store due to questionable (or insufficient) reasoning. Don’t get me wrong, the new policies Google has put in place are not nice, but for such an app, there’s not much to pay attention to except for developer verification which in my opinion was the whole point of Google introducing it so you can be called out if you smuggle unwanted behavior/malware. But people don’t like change, so they take irrational decisions. The same happened with MAFA. It’s now only available as direct .apk download 😱. Being closed-source, this is an absolute no-go for me. All applications on Android have network permission (what would you do with your phone otherwise?). They could do anything, execute whatever they want in the background without you noticing. That’s an issue with closed-source apps in general, not specifically tied to how they’re distributed, but the official distribution through stores (including open stores like Izzy or FDroid) gives some trust, applications are cross-checked (at least by Google for Play Store), but not with your side-loaded apk. When such things happen, you’re exposed to the authors, trusting them way more than a closed-source application which is distributed through official channels.

Back to MAFA. A friend posted basically the explanation below on the announcement forum of the MAFA authors, asking and also explaining that no store as distribution is probably a bad idea, leading to distrust. Guess what happened. The MAFA authors (Indi Software) deleted that post within 15 minutes.

To be clear, releasing a mobile app outside of trusted app stores is highly risky and should be avoided at all costs. Both users and developers face significant security, trust, and usability problems when bypassing established distribution channels.

• Users downloading apps from unknown websites risk installing malware, spyware, or trojans disguised as legitimate apps.
• Without Google Play, IzzyOnDroid, or F-Droid, there are no independent review processes or automated checks to catch malicious code.
• Lack of regular updates through verified channels exposes users to unpatched vulnerabilities (or they can secretly point to another domain using their in-application updater).
• If an app is only available via direct download (APK sideloading), many users immediately see it as suspicious.
• Sideloading requires lowering a phone’s security settings, which most users associate with scams or hacked software.
• Developers releasing apps this way damage credibility, as users expect apps to be available through legitimate, recognized stores - Play Store is not the only one.
• Installing apps outside of app stores is confusing for non-technical users and creates unnecessary friction.

Bypassing recognized stores undermines the app’s security, harms user confidence, and reduces usability. Developers who care about adoption, trust, and long-term sustainability should always release their apps through safe and transparent stores, whether proprietary (Google Play) or free/open (F-Droid, IzzyOnDroid).

MAFA is still by far the best Android MPD client, feel free to continue using it, but I cannot. I cannot trust closed-source applications where authors delete posts on their official forums and in addition don’t give good reasoning why they went the route in the first place. It just creates a bad feeling for me, so I need to say goodbye MAFA, goodbye Indi Software, hello M.A.L.P. (again)!

A side note: I personally maintain fbmobile which I distribute through Play Store and IzzyOnDroid. When Google started changing their policy, I had similar thoughts as the MAFA authors. Just removing it is the easy way and seems legit, given that Google is that evil big tech giant, enforcing their new policy for everyone. To be honest, that wouldn’t be too bad for my application. It was just removing one of my distribution channels and not forcing people to install plain apk files. They could still decide to install via IzzyOnDroid. When thinking about the “why” Google probably introduced it, I suddenly reverted my initial plan. That developers are forced to be authentic and that they can be held liable to a certain degree is actually quite beneficial from my perspective. Don’t get me wrong. I don’t like this as a developer. It creates additional work, but as user I prefer that developers need to go through this verification process.

Google’s move also seems to pay off. Since the new policies have been introduced, I am regularly (like at least weekly) receiving mails from folks that they want to buy my legitimate Google developer account. I guess they need to find new ways to distribute their shady software.