Google has unveiled a significant overhaul to the sideloading process on Android, introducing a new flow that mandates a 24-hour lock and multiple steps for installing apps from unverified developers. This initiative aims to enhance user safety by encouraging a more deliberate approach to app installation, thereby reducing the risk of scams and coercion.
The new “advanced flow” is tailored for what Google refers to as power users. It transforms sideloading into a more methodical process, ensuring that advanced Android users can still install apps from unverified sources while being adequately warned of potential risks. This change also serves to protect less experienced users who might be misled into downloading harmful applications.
The new sideloading flow: what you actually have to do
As the new rules take effect, the process of installing apps from unverified developers will become notably more cumbersome. Here’s a breakdown of the steps involved:
- Step 1: Enable Developer Mode
Users must manually enable developer options, introducing an intentional barrier to entry. - Step 2: Confirm you’re not being coerced
Android will prompt users to confirm that they are not being pressured into disabling device protections, addressing common scam tactics. - Step 3: Restart your phone
This step is designed to sever any active connections that scammers may exploit during the installation process. - Step 4: Wait 24 hours
A mandatory one-day waiting period is enforced before users can proceed with sideloading an app from an unverified developer, termed a “protective waiting period” by Google. - Step 5: Re-authenticate
After the waiting period, users must verify their identity through biometric authentication or a PIN, allowing time for reflection before proceeding. - Step 6: Finally, install the app
Only after completing the previous steps can users sideload the app, with the option to allow installations for seven days or indefinitely.
Even at this stage, a warning will remind users that the app is from an unverified developer, but they will have the option to proceed with the installation.
Why is Google doing this?
Google’s rationale for these changes is straightforward. The company recognizes that Android has evolved from its roots as a niche platform to a primary computing device for billions. Sameer Samat, Google’s President of the Android Ecosystem, emphasized the balance between openness and safety, stating, “You want a platform to be open, but you need a platform to be safe.”
With the rise of social engineering tactics, scammers have increasingly exploited the traditional sideloading process. Google’s new measures aim to disrupt this cycle by introducing deliberate delays and additional confirmations, allowing users to reconsider their actions in high-pressure situations.
What does Google mean by apps from unverified developers?
The updated sideloading flow is part of a broader initiative to require Android app developers to verify their identities with Google. This move aims to associate apps with verified developers, thereby reducing the likelihood of malicious actors infiltrating the ecosystem. Samat noted, “We would like to be able to tell the user this app is from this source,” allowing users to make informed decisions about trust.
However, exceptions exist for limited distribution apps, such as student or hobby projects, which can still be shared with a small number of devices without undergoing full verification.
When will the new sideloading rules come into effect, and what does this mean for you?
Google has announced that the new advanced sideloading flow will be available in August, ahead of the implementation of developer verification requirements. For users who primarily rely on the Play Store, the changes will not affect their experience. However, those who utilize third-party app stores or manually install APKs will encounter a more restrictive process moving forward.
The developer community’s response to these changes remains to be seen, particularly regarding whether they will opt into Google’s new verification system. Users may find themselves navigating the new process for any app from developers who choose to remain unverified.
