Android Developer Verification: Difference between revisions

On August 25, 2025, Google announced an upcoming application installation restriction on Google-certified Android devices, requiring all developers to register and verify their real-life identity through the Developer Verification program and be approved by Google before their apps can be installed on Android devices. This requirement extends to all installation methods including "sideloading", third-party app repositories like F-Droid, and direct APK installations. Google stated that this change "keeps the ecosystem open".^[1]

This is a giant shift from Android's traditionally open ecosystem and an abandonment of Android's founding principles.^[2] It renders all existing APK files created throughout the years useless, and gives Google the ability to censor apps they dislike, such as those that can create permanent local backups of YouTube videos outside of Google's ecosystem with no data lock-in (a popular example being TubeMate), and lets them terminate developers out of spite for reasons unrelated to their apps (such as holding political views Google disagrees with), in addition to giving governments the ability to order Google to censor unwanted apps, similar to what already happened with Apple in China.^[3]

It also prevents new Android applications from being developed offline with no Internet connection or Google account, given that every package name has to be registered in the developer console. This can prevent even verified developers from creating apps in countries where governments intermittently turn off Internet access, block access to Google services, or selectively block individuals from accessing the Internet.^[4]

Individuals who lose access to their Google accounts (for example, as a result of losing an authentication factor) would no longer be able register new applications.^[5] Unlimited offline distribution can also become a thing of the past. Google can impose arbitrary installation quotas, meaning limit the number of installations, like they are planning to do with student accounts. In the future, Google can also stop accepting submissions for older Android versions altogether, forcing people to purchase new devices to run software that could technically run on their existing device.

As with any Google service, there exists a possibility that it will shut down entirely, given that Google has a long history of launching and shutting down experimental services.^[6][7] If Google shut down the Android Developer Console, no one could develop new Android application anymore, for any device sold with this verification requirement built in.

Android has historically allowed users to freely install applications from any source through APK files (sometimes called sideloading). This openness differentiated Android from competitors like iOS. It enabled alternative app repositories, including open-source repositories like F-Droid, and direct developer-to-user distribution, offline installation with no Internet connection and Google account required, installation of applications not available in the Play Store (such as Flappy Bird, after it was taken down by its developer, or TubeMate, which Google does not allow on the Play Store), and installation of earlier versions (such as non-adware versions of ES File Explorer).

The only technical requirements were that applications follow Android's technical guidelines for functionality and be signed with any certificate to maintain a chain of trust during updates.

This openness has been a defining characteristic of Android since its inception, supporting many different use cases from enterprise deployments to privacy-focused distributions. Google has defended this approach in anti-trust proceedings, with Google's lawyers arguing in the Epic Games case that "Android and Google Play provide more choice and openness than any other major mobile platform"^[8] and that the company's app store practices were "part of its fierce competition with Apple".^[9]

Google announced the Developer Verification requirements on August 25, 2025, through the Android Developers Blog.^[10] According to Suzanne Frey, VP of Product, Trust & Growth for Android, the system is designed to combat malicious actors who "hide behind anonymity to harm users by impersonating developers and using their brand image to create convincing fake apps."

Google cited security statistics showing "over 50 times more malware from internet-sideloaded sources than on apps available through Google Play".^[11] The company framed the verification as "an ID check at the airport, which confirms a traveler's identity but is separate from the security screening of their bags".

The implementation will be conducted in global rollout phases:^[12]

• October 2025: Early access opens for invited developers
• March 2026: Open to all developers
• September 2026: Enforcement begins in Brazil, Indonesia, Singapore, and Thailand
• 2027 and beyond: Global rollout continues

Key implementation details:

• No grandfather clauses for existing apps or developers
• Google Play Store developers likely already meet requirements through 2023's D-U-N-S implementation
• Organizations requiring D-U-N-S numbers should begin the process 28 days before deadlines
• Developers can initiate verification 60 days before enforcement
• 90-day deadline extensions available for developers needing additional time
• After deadlines, users encounter system-level blocks with no override option when attempting to install unverified apps

On November 12, 2025, Google announced that it was developing an "building a new advanced flow that allows experienced users to accept the risks of installing software that isn't verified."^[13]. Matthew Forscythe, the Director of Product Management, clarified in a tweet posted January 16, 2026 that the process was purposefully "high-friction" and re-framed the sideloading restriction as an "accountability layer."^[14][15]

Free and open software distributor, F-Droid, stated in a blog post that the Android Developer program remained a credible threat to the open-source ecosystem on Android. They also added a banner at the top of their website that linked to "Keep Android Open", a website for informing about the danger and recommending users to voice their concerns to the relevant authority.^[16]

On February 24, 2026, the Keep Android Open movement published an open letter to Google signed by various free and open-source software organizations, digital rights groups, and developer communities.^[17] The letter criticized:

• The need for Google to gate-keep software beyond its own distribution platform
• The centralization of power having implications for privacy, censorship, and surveillance, especially with Google's historically opaque decision-making and review approach
• Imposition of barriers to entry for developers in various scenarios
• Anti-competitive implications
• Regulatory concerns

F-Droid was among the various organizations to sign the letter, as well as publishing its own open letter that same day. In that open letter F-Droid contended that "sideloading" was still going to be removed, that Google's blog post from last November about an "advanced flow" would not "be made available prior to the September lock-down," nor had Google sought any external feedback. F-Droid went on to urge developers to signal their own opposition by refusing to sign up for the developer verification process that would begin in March 2026.^[18]

On March 4, 2026, as part of changes following the ruling in Epic Games, Inc. v. Google LLC, et al., Google announced that it was allowing registered app stores to be published on Google Play Store if they met "certain quality and safety benchmarks", which would otherwise be subject to same restrictions as those for other "sideloaded" apps.^[19] Notably as part of the settlement, Epic Games signed away its rights to sue Google over anything related as covered in the term sheet, until September 2032.^[20]

On March 19 2026, Google finally revealed how its advanced flow program for installing unverified apps would be implemented. Google mentioned that this was a one-time process for power users, but was designed to prevent users "from being coerced by high pressure tactics to install malicious software".^[21]

1. Enable developer mode in system settings
2. Confirm you aren't being coached
3. Restart your phone and r-eauthenticate
4. Come back after the protective waiting period and verify - One-time, one-day wait

3Install apps - option of enabling for 7 days or indefinitely

Since advanced flow is delivered through Google Play Services and not through Android OS, Google can modify, restrict, or remove it at any time without an OS update and without any user consent. Organizations such as Keep Android Open continue to hold the position against the program because of this aspect. Since the implementation has not appeared in dev, beta or canary builds of Android yet, Google is prompting the community to accept a product announcement as a functional safeguard five months before the mandate takes effect.

Preventing critical banking apps from functioning due to enabled state of developer mode also makes installing unverified applications unfeasible to many users, which majorly affects the rapidly growing FOSS Android community and forces developer verification as well as payment of verification fees to Google, only to operate under limitations Google grants.

On March 23, 2025, Matthew Forsythe, Director of Product Management for Developer Experience on Google Play at Google, answered a question from an Android user on X (formerly Twitter) regarding advanced flow on Android. Forsythe explained that it would be possible to disable developer node once advanced flow is enabled, in order to use apps that don't work with developer mode enabled such as banking apps.^{[citation needed (8 June 2026)]}

However, at present, it's not yet clear whether it will actually be possible to use advanced flow with Developer Mode disabled, and it is unknown if enabling advanced flow will affect critical apps like banking apps, which might not function properly if the Advanced Feed system is enabled.

The Developer Verification system creates two tiers of developer accounts:^[12]

• Allows for distribution on up to 20 devices^[22]
• Intended for "students, hobbyists, and other personal use"
• Free registration
• Identity verification requirements unclear

• No limits on app numbers or installations
• Intended for "organizations and professional developers with wide distribution"
• Requires a one-time $25 fee
• Requires complete identity verification including:
  • Government-issued photo ID
  • Proof of address
  • Private email
  • Phone number
  • For organizations:
    • Website
    • D-U-N-S number (can take up to 28 days to obtain)

Developers must register package names before apps can be installed. The system creates a cryptographic link between developer identity and app signing keys. Ownership priority is determined by installation statistics — developers whose signing keys account for over 50% of known installs receive registration priority.^[23][24]

The requirements apply to all "[ Google-certified Android devices]" which includes:^[25]

• Devices with Google Play Store
• Devices with Google Mobile Services (GMS)
• Devices with Play Protect
• All mainstream Android devices from manufacturers including Samsung, Xiaomi, Motorola, OnePlus, and Google Pixel
• The vast majority of Android devices sold outside of China

Custom ROMs without Google services and non-certified devices are not affected by these restrictions.

Prominent Android developer Mark Murphy (CommonsWare) raised several technical concerns:^[26]

• Debug keystore handling for development workflows remains unaddressed
• Sample code from Android development books would become unusable as "at most one person on the entire planet" could register each package name
• Beta testing workflows using different package names face complications
• Questions whether "it will no longer be possible to test apps under development on Google-certified production hardware" after 2027

Developers expressed significant privacy concerns:

• Murphy cited the ICEBlock app developer who faced federal prosecution threats after identity disclosure, with his wife being fired from a job at the U.S. Department of Justice

• The Electronic Frontier Foundation (EFF) criticized risks of centralization in censorship as well as surveillance capability retained by Google^[27]

• Google's privacy policy allows sharing developer information with "trusted businesses or persons" without clear restrictions^[28]

• Open source developers fear harassment and doxxing after forced identity disclosure

• F-Droid mentioned that play store verification is proven to be ineffective at combating malware due to repeated instances of malware distributed through play store^[29][30]

Specific challenges include:

• F-Droid builds apps from source with its own signing keys, creating coordination requirements with upstream developers to ensure that the applications distributed are reproducible
• Community estimates suggest 85% of F-Droid apps could be "stuck in limbo" due to package ID conflicts
• Some developers announced via DreeDroidWarn that their apps "will no longer work on certified Android devices after that time"^[31]
• An open source app, Kotatsu, shut down its development citing pressure from Google against sideloading (among other threats against its operation).^[32]

Google's Q&A page for the announcement received lots of feedback, including:^[33]

• Users highlighting the hypocrisy of enforcing security on sideloaded apps while Google Play distributes apps classified as scamware, malware, and adware

• Confusion over whether users would need to pay $25 to install apps on their own devices

• Concerns about offline device functionality (barcode scanners, kiosks) requiring internet connections for app signing verification

• Comparisons to Windows, where users noted: "I can install an app onto a Windows computer from any source without verification by Microsoft"^[34]

The Android community produced numerous critical videos,^[35][36][37] with titles like "Google is Locking Down Android" and "Android Is Becoming iOS: The End of Sideloading?"

The Developers Alliance stood as the sole organizational voice supporting the change, with co-founder Jake Ward stating it was "a critical step to ensure trust, accountability, and security across the Android ecosystem".^[38]

Government support emerged from initial rollout regions:

• Brazil's Federation of Banks called it a "significant advancement in protecting users"^{[citation needed (8 June 2026)]}

• Indonesia's Ministry of Communications praised the "balanced approach that protects users while keeping Android open"^{[citation needed (8 June 2026)]}

• Thailand's Ministry of Digital Economy described it as a "positive and proactive measure"^{[citation needed (8 June 2026)]}

Technology publications characterized the change as fundamental to Android's nature:

• The Daily Security Review called it "a significant philosophical shift for Android, mirroring Apple's tightly curated ecosystem"^{[citation needed (8 June 2026)]}

• Cory Doctorow wrote that Google was abusing its duopoly position in the mobile ecosystem to lock-in users for monetary profit^[39]

• Many news outlets warned that the ID requirements could end alternative app stores and affirm Google Play Store's position as an effective monopoly^[40][41]

• Afam Onyimadu, of Make Use Of, wrote that the move was an overreach of Google's position when programs such as Play Protect already exist, calling it "security theatre"^[42]

• It's FOSS warned "this could turn Google into the effective gatekeeper for all apps on 'certified' Android devices"^[28]

• OSnews criticized it as "the death of our digital freedoms"^{[citation needed (8 June 2026)]}

• Hackaday noted the timing "coincides with Google's court-mandated opening of Android following Epic Games' antitrust victory"^[43]

NomidMDM advised IT managers to "audit application inventory today" and make sure all line-of-business app developers completed verification before deadlines.^[44] Affected deployments include:

• Wall-mounted displays
• Classroom broadcasting systems
• Shared device configurations
• Kiosk applications
• Industrial control systems

F-Droid faces serious challenges with the repository's build-from-source model conflicting with developer verification requirements. Alternative stores must make sure all hosted apps come from verified developers, effectively extending Google's verification to all distribution channels.

Educational institutions face challenges as well:^{[citation needed (8 June 2026)]}

• Student projects require individual verification for testing
• Sample code from textbooks becomes unusable without verification
• Classroom demonstrations need verified developer accounts
• Research projects face additional identity disclosure requirements

The announcement arrived during active regulatory scrutiny of Google's platform practices.

The EU Digital Markets Act investigation issued preliminary findings against Google on March 19, 2025, for self-preferring and payment system restrictions.^[45] Legal experts noted potential conflicts with DMA provisions requiring gatekeepers to permit third-party software installation without the gatekeeper's identification services.

The timing coincided with court-mandated changes following Epic Games' antitrust victory. The FTC outlined remedy concerns in an August 2024 amicus brief after the jury found Google illegally monopolized app distribution.^[46]

The UK Competition and Markets Authority continued its Strategic Market Status investigation, with consultation closing on August 20, 2025.^[47] No specific response to the verification requirements has been issued as of June 8, 2026.

• Forced account
• Digital Markets Act
• Sideloading

• Android Mobile App Developer Tools - Android Developers
• F-Droid
• Keep Android Open