Android Sideloading Waiting Period
With its new limits on sideloading, Android phones will only install apps that come from verified developers. To verify, devs releasing apps outside of Google Play will have to provide identification, upload a copy of their signing keys, and pay a $25 fee. It all seems rather onerous for people who just want to make apps without Google’s intervention.
Apps that come from unverified developers won’t be installable on Android phones—unless you use the new advanced flow, which will be buried in the developer settings.
[…]
Google swears it’s not interested in the content of apps, and it won’t be checking proactively when developers register. This is only about identity verification—you should know when you’re installing an app that it’s not an imposter and does not come from known purveyors of malware.
[…]
So a rootkit can be malware, but a rootkit you downloaded intentionally because you want root access on your phone is not malware, from Samat’s perspective. Likewise, an alternative YouTube client that bypasses Google’s ads and feature limits isn’t causing the kind of harm that would lead to issues with verification. But these are just broad strokes; Google has not commented on any specific apps.
Adamya Sharma (via John Gruber):
When Google execs previously said sideloading would become a high-friction process on Android, they really weren’t kidding.
The company is finally sharing what Android’s new sideloading flow will look like in practice, and if you’re someone who installs apps outside the Play Store, you’re going to feel it immediately, and you’re going to feel it deeply.
[…]
It’s a deliberately slow and almost impossible-to-rush-through process that will allow advanced Android users to sideload apps from unverified developers, while giving them plenty of caution to keep them safe from malicious apps and bad actors.
[…]
Yes, really. There’s a mandatory one-time, one-day waiting period before you can proceed and sideload an app from an unverified developer. Google calls it a “protective waiting period.”
Horrific. Can we finally dispense with this notion that Apple’s App Store can be as restrictive as they want because if you don’t like that you can just buy an Android phone?
The part in the flow where you select between allowing app installs for 7 days or forever is a glimpse into the future. That toggle shows the thought process that’s going on at Google.
I can bet that a few versions down the line, the “Not recommended” option of allowing installs indefinitely will become so not recommended that they’ll remove it outright. Then shrink the 7 day window to 3 days or less. Or only give users one allowed attempt at installing an app, after which it’s another 24 hour waiting period for you. Then ask the user to verify themselves as a developer if they want to install whatever they want. Whatever helps them turn people away from alternatives and shrink the odds of someone dislodging their monopoly, they will do. Anything to drive people to Google Play only.
At this point I’m convinced that there’s something deeply wrong with how our society treats technology.
Ruining Android for everyone to try to maybe help some rather technologically-hopeless groups of people is the wrong solution. It’s unsustainable in the long run. Also, the last thing this world needs right now is even more centralization of power.
Previously:
- Apple Wins Musi App Store Removal Lawsuit
- Lower Google Play Store Fees and Registered App Stores
- Proposal to Settle Epic and Google Antitrust Case
- Epic Games Sees Benefits From Streamlined Install Flow
- Google to Require Developer Verification for Android Sideloading
Update (2026-03-26): Peter N Lewis:
Just so it’s clear, because it’s frequently not been clear in reporting I’ve seen, the 24 hour waiting period is after turning on the switch that allows sideloading. It is not before each individually sideloaded app.
And I can sort of see their reasoning on this, to defend naive users from being conned in to turning it on. For savvy users, you can just turn it on, wait a day and then get on with your life.
My security hot take for this week is that Google’s changes for sideloading on Android seem to strike a good balance between security and usability. This gives me hope the team is putting thought into maintaining the original dream of the platform rather than making a worse iOS.
Of course the jury is still out on how well this will work but the rationale seems pretty solid to me. Being tricked into installing blatant malware is, despite how you might feel about it, a major problem for Android. Historically efforts to combat this have badly hurt openness.
The general problem with security is identifying bad things is hard because often it will end up impacting desirable things too. In this case Google picks a very specific quality of scams and aims to target it specifically: urgency. I expect this to be very high signal!
Update (2026-03-30): Stephen Schenck (Hacker News):
Users will be able to opt out of further delays after that initial 24 hours.
Today Google clarifies that this status can carry over to new devices, so you only ever have to go through it once.
13 Comments RSS · Twitter · Mastodon
"At this point I’m convinced that there’s something deeply wrong with how our society treats technology."
At *this* point? And not at any earlier point? The writing's been on the wall for many years.
When identification is required to run your own code on your own devices (if I read that right), that makes me deeply uncomfortable.
I do think it's a shame that it's needed, but at the same time, the high-pressure phone scams this is designed to prevent are a huge problem for people. I don't think it's very useful to just deride people who are impacted by scams as 'technologically hopeless groups of people'. They're real people who are losing their life savings, and it's happening in countries where they won't just get their funds refunded by the bank.
A one-time 24-hour reflection period isn't the worst thing ever, and it really does work to 'break the spell' of the scammers in many cases.
> Ruining Android for everyone to try to maybe help some rather technologically-hopeless groups of people is the wrong solution. It’s unsustainable in the long run. Also, the last thing this world needs right now is even more centralization of power.
Dude still believe this is about security? Cute
Alex is right about why they are doing this and in the short term it may not be the worst idea.
This is treating a symptom of the rampant scamming issue plaguing the world right now. Stopping the scammers seems politically impossible. Governments abused the real protections of identity and privacy and so that ship has sailed.
And the vast majority of people neither have nor want basic computer education, much less security education. And of course the technology cartels are not interested in educating users for the same reason slaves weren’t taught to read.
So here we are. A world of helpless victims and technology predators all enabled by governments and corporations with the wrong motivations. And we’re caught in the middle as the tiny minority that just wants to use the computer for what we know it is.
There’s definitely something wrong with the way our society treats technology, but falling for Google’s lie that this is to protect users is silly.
Google doesn’t even protect people who download apps exclusively from the play store. It’s been riddled with scams. Malware has sat there for months before being addressed. Just like Apple’s App Store
They obviously want to have more control over what apps users can install. Just like Apple. And just like Apple, this control will mostly be used to make more money from payments. But it’ll also be used by authoritarian governments to block apps they don’t like. And then the tech industry will say “that’s just what you have to do to be a company at that level”. Well, maybe we shouldn’t have companies so big they have to go along with fascism
Speaking of fascism, falling for Google’s lie is just like the people falling for the idea that age verification is meant to protect children. It should be obvious that the same government that knowingly allowed Epstein conspirators to continue abusing children (and they’re still free, still doing it now) isn’t truly interested in protecting children
Again, it’s about control, tracking, invasion. Our current fascist regime in the US has repeatedly made efforts to track and target dissidents and protesters. It’s not a coincidence suddenly children have to be protected, but not the ones being abused by the Epstein class for some reason
It’s about giving authoritarian governments more control over its people
This is what’s wrong with the way our society handles technology: we allow it to be used and abused against us even when it’s obvious they’re going to do that, just as long as they can offer up some “safety” excuse that doesn’t even make any sense if you think about it for two seconds
Maybe I'm missing something, but how common are scams that involve getting people to install an app on their phone?
I'm getting scam calls pretty regularly, and I usually go along with them to see what happens. I've gone through at least a dozen interactions with scammers in the previous year. Nobody ever asked me to install an Android app. Am I just not giving the correct responses to trigger that, or what?
I read about pig butchering scans where they tricked people into installing fake crypto trading apps. The victims would see number go up, and their deposits would show up.
The fact that the money went straight to someone else's crypto wallet wasn't shown.
And when they tried to withdraw money they would get technical difficulty, check in later or even pay money for a transaction fee messages.
So it happens.
I'm not sure if these were straight off of the App store, but given that the victims were Americans I find it likely.
Stopping alternative installs might not have helped.
Plus it could all be done through a website anyway.
"I read about pig butchering scans where they tricked people into installing fake crypto trading apps. The victims would see number go up, and their deposits would show up."
Aren't these just websites? In all of the calls I've had, the scammers directed me to a website. It feels like asking somebody to install an app has no advantage over asking them to go to a website. It just increases the odds of the scam failing.
I guess if the app is in an official app store, that would lend it some legitimacy, but other than that, what is the point?
Just so it's clear, because it's frequently not been clear in reporting I've seen, the 24 hour waiting period is after turning on the switch that allows sideloading. It is not before each individually sideloaded app.
And I can sort of see their reasoning on this, to defend naive users from being conned in to turning it on. For savvy users, you can just turn it on, wait a day and then get on with your life.
Note: I'm not saying I agree with any or all of this, just clarifying the 24 hour waiting period issue which I've seen misreported several times.
Let’s fix the spam problem, not some specific step in a scammer’s workflow (installing some app or whatever).
How is it in 2026 we still can’t figure out how to have exclusively opt-in, allowlisted email and phone calls?
You want to send me an email someday? Sure, just scan this rotating code, and I’ll approve your request. I might choose to approve for 1 day, 1 month or forever. Emails need to come from your cert, or they won’t be delivered. How hard is that? The US has already done this for commercial text messages for a couple years now, customers must either opt in or confirm to receive messages. In the rest of the world, WhatsApp can auto-block incoming messages from unknown people. Fixing email and phone calls isn’t rocket science.
And if we control those vectors of infection of this nonsense, we don’t need to worry about who can install apps.
So tired of having Apple and Google install whatever bloat they want, even making it non-removable — apps like Books.app on a Mac — but I have to jump through hoops just to install my app on a family member’s computer or phone.
Pretty sure the spammers and scammers would stop if they started having suicide drones crashing into their offices, just saying.
