Google to Require Developer Verification for Android Sideloading
To combat malware and financial scams, Google announced today that only apps from developers that have undergone verification can be installed on certified Android devices starting in 2026.
This requirement applies to “certified Android devices” that have Play Protect and are preloaded with Google apps. The Play Store implemented similar requirements in 2023, but Google is now mandating this for all install methods, including third-party app stores and sideloading where you download an APK file from a third-party source.
It sounds like this is checking the person behind the developer account rather than checking the content of the submitted apps.
I’m struggling to see the benefit of this new policy. While it’s presented as a security measure, the requirement to fill out these forms seems like a trivial barrier for actual malware creators, who will easily abuse the system. The real impact will be felt by legitimate developers who either value their privacy or don’t want to be tied to Google’s centralized ecosystem.
My primary concern is the potential for mismanagement, which could disproportionately harm independent developers. We’ve already seen how Google’s automated systems can randomly ban established developers from Google Play with little to no feedback. A system like this, which grants Google even more oversight, could easily make this problem worse.
The new Android security measures are an interesting piece of revisionist thinking—“developer verification” is now set as the gatekeeper for sideloaded apps in Brazil, Indonesia, Singapore, and Thailand by September 2026, with what looks like full side-loading lockdown coming 2027.
Regardless of the malware angle, this seems to effectively kill side-loading on Android in the near future, making it as hobbyist-hostile as iOS and very likely spelling doom for open ecosystems like F-Droid (which I rely upon to customize every Android device I get my hands on).
What’s the problem with Google becoming a CA for all apps that want to interface with Google Play Services?
Apple has shown that they’ll use that capability to enforce policy decisions, guess the Android folks don’t want anyone being able to do that.
Sideloading is fundamental to Android, and it’s not going anywhere. As we said in our blog, our new developer identity requirements are designed to protect users and developers from bad actors, not to limit choice. We want to make sure that if you download an app from a developer, regardless of where you get it, it’s actually from them. That’s it.
[…]
We are working on a flow for devs, hobbyists, etc that won’t interfere with your workflow.
No rational user would install a purported battery app with that scary list of permissions, right? Wrong!
[…]
There is no UI tweak you can do to prevent users bypassing these scary warnings. There is no amount of education you can provide to reliably make people stop and think.
[…]
Given that sideloaded Android apps are clearly a massive vector for fraud, it obviously behoves Google to find a way to secure their platform as much as possible.
[…]
This is quite obviously a bullshit powerplay by Google to ensnare the commons. Not content with closing down parts of the Android Open Source Project, stuffing more and more vital software behind its proprietary services, and freezing out small manufacturers - now it wants the name and shoe-size of every developer!
[…]
I remember The Day Google Deleted Me - we cannot have these lumbering monsters gatekeeping what we do on our machines.
When Google restricts your ability to install certain applications they aren’t constraining what you can do with the hardware you own, they are constraining what you can do using the software they provide with said hardware. It’s through this control of the operating system that Google is exerting control, not at the hardware layer. You often don’t have full access to the hardware either and building new operating systems to run on mobile hardware is impossible, or at least much harder than it should be. This is a separate, and I think more fruitful, point to make.
I think the conversation needs to change from “can’t run software of our choice” to “can’t participate in society without an apple or google account”. I have been living with a de-googled android phone for a number of years, and it is getting harder and harder, while at the same time operating without certain “apps” is becoming more difficult.
For example, by bank (abn amro) still allows online banking on desktop via a physical auth device, but they are actively pushing for login only via their app. I called their support line for a lost card, and had to go through to second level support because I didn’t have the app. If they get their way, eventually an apple or google account will be mandatory to have a bank account with them.
My kid goes to a school that outsourced all communication via an app. They have a web version, but it’s barely usable. The app doesn’t run without certain google libs installed. Again, to participate in school communication about my kid effectively requires an apple or google account.
See also: Louis Rossmann (Hacker News).
Previously:
- Google Loses Appeal Against Epic
- UK Online Safety Act
- Open App Markets Act Reintroduced
- TikTok Android Sideloading
- Google Delayed Removing Yobit Pro Scam App
- Proposed EU Chat Control
- Schneier on Sideloading
- Nowhere Else to Go
