Google is trying to have it both ways on Android sideloading: lock down the system against malware distributors, while preserving the freedom that power users and independent developers depend on. On Thursday, the company detailed how that compromise will work.
After hearing from power users that they want to take educated risks to install software from unverified developers, Google is sharing details on a new advanced flow that provides this option. The process is deliberately laborious. Users must first enable developer mode in settings, confirm they are not being pressured into disabling security, restart their phone (cutting off any remote connection a scammer might be using), wait one full day, then authenticate with fingerprint, face unlock, or PIN.
The architecture serves a specific threat. A quick check ensures no one is talking users into turning off their security; scammers often pressure victims into disabling protections, and this waiting period breaks their spell and gives time to think. This is not hypothetical. A growing trend in Southeast Asia involves attackers calling victims claiming their bank accounts have been compromised and directing them to install a malicious "verification app" to secure their funds, then directing victims to grant the malicious app notification access to intercept two-factor authentication codes.
The advanced flow will be available in August before the new developer verification requirements take effect. Once enabled, users can choose to allow unverified app installation for seven days or indefinitely. However, they will still receive warnings every time they attempt to install an app from an unverified developer.
Google is also creating a separate pathway for students and hobbyists. Google is creating a separate type of Android Developer Console account for students and hobbyist developers, recognising their needs are different from commercial developers. These limited distribution accounts allow developers to share apps with up to 20 devices without paying a fee or providing government identification.
This concession reflects pressure from the development community. When Google announced in August 2025 that it would require all Android app developers to complete identity verification, the reaction was sharp. Critics argue that mandatory registration imposes barriers on developers with limited resources, researchers, and academics; raises concerns about privacy and surveillance; and extends Google's opaque, unaccountable app review process to a broader set of developers. The verification scheme opened to all developers in March 2026 after early preview since November 2025.
The underlying security rationale is substantial. Google's recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play. The requirements will go into effect in Brazil, Indonesia, Singapore, and Thailand in September 2026, at which point any app installed on a certified Android device in these countries must be registered by a verified developer. Google will require all Android apps installed on certified devices in Brazil, Indonesia, Singapore, and Thailand to be registered by verified developers, with other regions rolling out gradually from 2027 onward.
Whether this design actually works depends on execution. The one-day delay creates genuine friction for legitimate users and developers, a trade-off Google has decided is worth the cost. The real question is whether the deliberate slowness actually breaks scammer tactics or simply becomes an annoyance that users learn to plan around. Google says it has worked with the community to ensure protections are robust yet respectful of platform freedom. How well those two goals align when enforcement begins will determine whether Android remains meaningfully open to independent creators or becomes a more walled garden.