On Thursday, Google unveiled a new “advanced flow” for Android sideloading, introducing a mandatory 24-hour waiting period for users wishing to install applications from unverified developers. This initiative aims to strike a balance between maintaining the platform’s openness and enhancing user safety.
Developer Verification Mandate
This announcement follows a developer verification mandate introduced last year, which requires all Android applications to be registered by verified developers before they can be installed on certified Android devices. Google stated that this measure is designed to expedite the identification of malicious actors and curb the distribution of malware.
The new sideloading protocol addresses potential risks associated with cybercriminals deceiving users into granting elevated privileges that could disable Play Protect, the built-in anti-malware feature on Google-certified Android devices.
Concerns from the Developer Community
However, the registration requirements have faced pushback from over 50 app developers and marketplaces, including notable names like F-Droid, Brave, and The Electronic Frontier Foundation. Critics argue that these regulations could create unnecessary friction and barriers to entry, raising significant privacy and surveillance concerns. They seek clarity on the personal information developers must provide, how this data will be secured, and whether it could be subject to governmental scrutiny.
Steps for Sideloading Apps
To alleviate some of these concerns, Google has outlined a one-time process for power users who wish to sideload apps from unverified developers:
- Enable developer mode in system settings.
- Confirm that the decision to sideload is voluntary and not influenced by external parties.
- Restart the device and re-authenticate to prevent potential monitoring by scammers.
- Wait for a 24-hour period and confirm the change using biometric authentication or a device PIN.
- Install apps from unverified developers, either indefinitely or for a maximum of seven days, after understanding the associated risks.
Sameer Samat, President of the Android Ecosystem, emphasized the importance of this waiting period, stating, “In that 24-hour period, we think it becomes much harder for attackers to persist their attack.” He noted that during this time, users could verify the legitimacy of alarming situations, such as false claims regarding loved ones or bank account security.
Support for Hobbyist Developers
In addition, Google plans to introduce free “limited distribution accounts” that will allow hobbyist developers and students to share apps with up to 20 devices without the need for a government-issued ID or registration fee. This initiative aims to ensure that identity verification does not become a barrier for entry into the developer ecosystem.
It is important to note that the outlined process does not apply to installations via the Android Debug Bridge (ADB). The limited distribution accounts and the advanced flow for users are set to be available in August 2026, ahead of the new developer verification requirements coming into effect the following month.
Google acknowledged the diversity of its ecosystem, stating, “We know a ‘one size fits all’ approach doesn’t work for our diverse ecosystem. We want to ensure that identity verification isn’t a barrier to entry, so we’re providing different paths to fit your specific needs.”
Emerging Threats
This development arrives amid the rise of a new Android malware known as Perseus, which is actively targeting users in Turkey and Italy for device takeover and financial fraud. Over the past four months, at least 17 distinct Android malware families have been identified, including FvncBot, SeedSnatcher, ClayRat, and others, highlighting the ongoing challenges in mobile security.
