3 hours ago
2
Google has revealed the “advanced flow” that will be required to install certain Android apps once the company introduces mandatory developer verification later this year. The company had initially announced that it would no longer be possible to install apps from unverified developers, and the process announced today is its concession to critics who accused it of killing off app sideloading and making Android less open.
The good news is the new advanced flow is a one-off process that won’t need to be repeated every time a user wants to sideload an app; the bad news is that part of that process includes a mandatory one-day waiting period.
Here’s how Google describes the process in a blog post from Matthew Forsythe, Android’s director of product management and app safety:
Enable developer mode in system settings: Activating this is simple. This prevents accidental triggers or “one-tap” bypasses often used in high-pressure scams.
Confirm you aren’t being coached: There is a quick check to make sure that no one is talking you into turning off your security. While power users know how to vet apps, scammers often pressure victims into disabling protections.
Restart your phone and reauthenticate: This cuts off any remote access or active phone calls a scammer might be using to watch what you’re doing.
Come back after the protective waiting period and verify: There is a one-time, one-day wait and then you can confirm that this is really you who’s making this change with our biometric authentication (fingerprint or face unlock) or device PIN. Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think.
Install apps: Once you confirm you understand the risks, you’re all set to install apps from unverified developers, with the option of enabling for 7 days or indefinitely. For safety, you’ll still see a warning that the app is from an unverified developer, but you can just tap “Install Anyway.”
Why so many steps and a waiting period? Forsythe said to expect a “high-friction” process earlier this year, and he now explains that it’s designed to protect users from being tricked into installing unsafe apps by scammers. Google is characterizing sideloading as something only “power users” should be able to do for that reason.
Image: Google
Google first announced its new Android developer verification requirements last August, which will eventually require developers to provide Google with details including their legal name, address, email address, and phone number, and in some cases an uploaded copy of their government ID. Once the verification requirements are in full effect, the new advanced installation flow will be one of the only ways to install apps from developers who haven’t gone through Google’s verification process. Google will also provide limited workarounds for students and hobbyists to share their apps with up to 20 people without providing government ID or paying a registration fee.
Criticism of registration has been fierce from some developers. The Keep Android Open campaign warned in an open letter last month that mandatory registration “threatens innovation, competition, privacy, and user freedom,” raising both principled objections and practical concerns around barriers to entry and legal risks. ImranR98, developer of the open-source app update tool Obtainium, told The Verge a few weeks ago that it’s “a massive overreach” from Google and “an effective ban on general purpose mobile computing worldwide.”
Image: Google
Verification itself is still only in early access, though Google says it’s expected to open to all developers some time this month. For now it’s still optional, but from September this year it will be mandatory for the developers of apps released in Brazil, Indonesia, Singapore, and Thailand, with global requirements kicking in some time from 2027. Google says the advanced installation flow will be available from August, before registration itself becomes mandatory. Dan Jackson, Google’s head of policy communications, explains that this is to give “power users the opportunity to turn it on” — and get through the 24-hour delay — ahead of time.
Among other changes to Android, Google will be launching a “Registered App Stores” program outside of the US by the end of the year so third-party publishers can have their own. Those stores will also have trust and safety requirements. Inside the US, Google must work towards offering rival app stores within its own Google Play Store, unless or until Judge James Donato decides otherwise.
Update, March 19th: Added quotes from Android developers, and additional details on the availability in August.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
