Google has introduced a mandatory 24-hour waiting period for sideloading apps from unverified developers on Android devices. This new policy aims to enhance user safety by reducing the risk of malware and scams, while maintaining the platform’s openness.
Background of the New Sideloading Policy
The update follows a previous mandate requiring Android apps to be registered by verified developers to be installed on certified devices. This step was taken to swiftly identify malicious actors and prevent the distribution of harmful software. The delay seeks to protect users from cybercriminals who may exploit sideloaded apps to gain unauthorized access and disable protective features like Play Protect.
Concerns and Criticisms
Despite Google’s intentions, the new requirements have faced backlash from over 50 app developers and marketplaces, including organizations like F-Droid and The Tor Project. Critics argue that the policy could create entry barriers and raise concerns about privacy and data security. Questions remain about the handling of personal information required for developer verification and potential government access to this data.
Implementation of the Advanced Sideloading Flow
Google has introduced an advanced flow allowing experienced users to sideload apps from unverified sources. This involves enabling developer mode, confirming the action is voluntary, and re-authenticating after a 24-hour wait using biometric data or a device PIN. Users can then install apps indefinitely or for seven days, provided they understand the risks involved.
According to Sameer Samat, President of Android Ecosystem, this waiting period is designed to disrupt potential attacks, allowing users time to verify threats. Google also plans to provide free limited distribution accounts for hobbyists and students, enabling app sharing with up to 20 devices without stringent identification requirements.
Future Outlook and Security Measures
The advanced flow and limited distribution accounts will be available by August 2026, ahead of the new verification requirements in September. This initiative coincides with the emergence of the Perseus malware targeting users in Turkey and Italy for device takeover and financial fraud. Over the past months, several Android malware families have been identified, underscoring the importance of enhanced security measures.
Google acknowledges the diversity of its ecosystem, emphasizing the need for flexible solutions to accommodate different user needs without compromising security. The company is committed to providing multiple pathways for developers to meet verification standards.
