Google has revealed the "advanced flow" that will be required to install certain Android apps once the company introduces mandatory developer verification later this year. The company had initially announced that it would no longer be possible to install apps from unverified developers, and the process announced today is its concession to critics who accused it of killing off app sideloading and making Android less open.
The new workflow is deliberately cumbersome by design. Users must first manually enable developer options, confirm they are not being coerced, restart their phone to cut off active calls or remote access that scammers often rely on, wait 24 hours, then re-authenticate with biometric authentication or their PIN. Only then can they sideload apps from developers without Google verification.
Once installed, the option can be enabled for seven days or indefinitely, and within that timeframe users can install as many different APKs from as many different unverified developers as they like.
Google's rationale centres on preventing fraud and malware. The company's analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play. The one-day protective waiting period gives users time to think, since scammers often rely on manufactured urgency.
The broader verification requirement mandates that starting in 2026, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices, with these requirements going into effect in Brazil, Indonesia, Singapore, and Thailand in September 2026. The requirement will then roll out globally in 2027 and beyond.
For developers, the change imposes real friction. Developers will need an Android Developer Console account, which like a Play Store account requires a one-time $25 fee linked to a Google payment profile, and both personal and organisational accounts require the submission of government-issued identity documents and verified phone numbers. The company said there will be a less burdensome process, without a fee, for students and hobbyists, but details have yet to be revealed.
Controversy around the policy has been substantial. Thirty-seven technology companies, nonprofits, and civil society groups including Article 19, the Electronic Frontier Foundation, the Free Software Foundation, F-Droid, Fastmail, and Vivaldi published an open letter opposing the plan. The letter signatories object to Google requiring Android developers who seek to distribute apps through alternative channels to first seek permission from Google, to agree to Google's terms and conditions, to pay a fee, and upload government-issued identification, arguing that this extends Google's gatekeeping authority beyond its own marketplace into distribution channels where it has no legitimate operational role.
Google disputes this framing. The company states that sideloading is fundamental to Android and is not going anywhere, and that its new developer identity requirements are designed to protect users and developers from bad actors, not to limit choice. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer.
For Australian users and developers, the implications are less immediate than for those in Brazil, Indonesia, Singapore, and Thailand, where enforcement begins this September. However, the requirements will continue to roll out globally in 2027 and beyond, making the policy relevant to the Australian developer community. Independent developers who rely on sideloading to distribute niche tools or maintain privacy will face a choice: register with Google and submit identity documents, or lose distribution access on most certified Android devices in their region when the policy arrives.
The trade-off between security and openness remains genuinely contested. Malicious developers take advantage of Android's openness and hide behind anonymity when distributing malware, which Google's change aims to address by making it harder for malicious actors to distribute harmful apps. Yet critics argue that mandatory registration imposes barriers on developers with limited resources, researchers, and academics and raises concerns about privacy and surveillance.
Google's advanced flow represents a practical middle ground: sideloading remains possible for power users willing to navigate security barriers, whilst mainstream users face stronger default protections. Whether that balance satisfies either security advocates or openness defenders remains unclear.