In a significant shift for Android users, Google has announced that starting September 2026, the process of sideloading apps through APK files on certified Android devices will become more regulated. While sideloading will still be an option, it will now require a series of steps aimed at enhancing security and ensuring developer verification.
New Requirements for Sideloading Apps
The recent update from Google was highlighted through a pop-up notification titled “Keep Android Open,” which directed users to a dedicated website outlining the new requirements for installing and updating apps on certified devices. The following steps will be necessary:
- Paying a fee to Google
- Agreeing to Google’s Terms and Conditions
- Providing government identification
- Uploading evidence of the developer’s private signing key
- Listing all current and future application identifiers
Further insights into these changes were shared in a recent post on the Android Developers Blog, which emphasized the balance between maintaining openness and ensuring user safety. The blog featured a banner proclaiming, “sideloading is here to stay.”
Three Methods of Sideloading
Google has outlined three distinct methods for sideloading apps:
- Sideloading directly from verified developers: This method remains straightforward, although developers must now undergo a verification process, which may pose challenges for some applications.
- Sideloading from developers with limited distribution accounts: Users can sideload apps from known developers through channels of their choice. Google has introduced free, limited distribution accounts for students and hobbyists, allowing them to share apps with a small group (up to 20 devices) without the need for government ID or registration fees.
- Sideloading from unverified developers with advanced flow: This method may involve downloading a random APK from platforms like GitHub.
The “Keep Android Open” website elaborated on the first option, while the third method, once the most common practice, will now require a more intricate process due to security concerns. The advanced flow for sideloading from unverified developers includes:
- Enabling developer mode in system settings
- Confirming the user is not being coached by scammers to install the app
- Restarting the phone and reauthenticating to prevent remote access
- A one-time, one-day wait: Users must wait 24 hours after restarting their device, referred to as the “Security delay” step.
- Post-delay, confirming identity through biometric authentication or device PIN
- Finally, users can install apps from unverified developers, with the option to enable this feature for either seven days or indefinitely.
While these new requirements may introduce some inconvenience, they also aim to bolster user security and reduce the potential for scams. Developers who prefer anonymity will still have the option to sideload apps without incurring fees, striking a balance between accessibility and safety in the evolving Android ecosystem.
