In a significant shift for Android users, Google has unveiled a new “advanced flow” for installing certain apps, set to take effect later this year. This initiative follows the company’s decision to mandate developer verification, a move that has sparked considerable debate regarding the future of app sideloading on the platform. While the change aims to enhance security, it also raises questions about accessibility and user freedom.
The advanced flow is designed as a one-time process, meaning users will not have to repeat it for each app installation. However, it does introduce a mandatory 24-hour cooling-off period, a feature that has drawn mixed reactions from the developer community and users alike.
Understanding the Advanced Flow
According to a blog post by Matthew Forsythe, Android’s director of product management and app safety, the installation process involves several key steps:
- Enable Developer Mode: Users must activate developer mode in their system settings to prevent accidental bypasses that could lead to security vulnerabilities.
- Confirm No External Coaching: A quick verification step ensures that users are not being pressured into disabling their security settings by malicious actors.
- Restart and Reauthenticate: Restarting the device and reauthenticating helps to eliminate any potential remote access by scammers.
- Wait and Verify: After a one-day waiting period, users must confirm their identity through biometric authentication or a device PIN before proceeding with the installation.
- Install Apps: Once verified, users can install apps from unverified developers, with the option to enable this feature for either seven days or indefinitely. A warning will still be displayed regarding the app’s unverified status, but users can choose to proceed with the installation.
Forsythe emphasized that this “high-friction” process is intended to safeguard users from falling victim to scams, framing sideloading as an activity primarily suited for “power users.”
Google’s announcement last August regarding developer verification requirements has set the stage for these changes. Developers will soon need to provide personal information, including legal names and contact details, and in some cases, a government-issued ID. This verification process is expected to become mandatory for developers in select countries by September, with global requirements anticipated by 2027.
Despite the potential benefits of increased security, the new regulations have faced criticism from various corners of the developer community. The Keep Android Open campaign has voiced concerns that mandatory registration could stifle innovation and user freedom, while some developers have labeled the requirements as excessive and detrimental to the open nature of Android.
Looking ahead, Google plans to introduce a “Registered App Stores” program outside the U.S. by the end of the year, allowing third-party publishers to establish their own app stores, complete with trust and safety protocols. Meanwhile, within the U.S., Google is working towards accommodating rival app stores within its Google Play Store, pending legal developments.
