Google Android restrict app sideloading: Difference between revisions

(24 intermediate revisions by 15 users not shown)

Line 1:

On August ~~25,~~ 2025, Google announced that starting in 2026 it will block the installation of Android apps from outside the Play Store unless the developer has verified their identity with Google. The policy will first roll out in Brazil, Indonesia, Singapore, and Thailand in September 2026, with global enforcement targeted for 2027 <ref name=":0">{{Cite web |last=Frey |first=Suzanne |date=25 Aug 2025 |title=A new layer of security for certified Android devices |url=https://android-developers.googleblog.com/2025/08/elevating-android-security.html |url-status=live |access-date=25 Aug 2025 |website=Android Developers Blog}}</ref><ref name=":1">{{Cite web |last=Perez |first=Sarah |date=25 Aug 2025 |title=Google will require developer verification for Android apps outside the Play Store |url=https://techcrunch.com/2025/08/25/google-will-require-developer-verification-for-android-apps-outside-the-play-store/ |url-status=live |access-date=25 Aug 2025 |website=TechCrunch}}</ref>. This marks a significant change to ~~Android’s~~ long-standing support for sideloading apps and has sparked debate among developers, consumers, and digital rights advocates <ref name=":2">{{Cite web |last=Anderson |first=Tim |date=26 ~~Aug 2025~~ |title=Google kneecaps indie Android devs, forces them to register |url=https://www.theregister.com/2025/08/26/android_developer_verification_sideloading |url-status=live |access-date=26 ~~Aug 2025~~ |website=The Register}}</ref><ref name=":3">{{Cite web |first= |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.bleepingcomputer.com/forums/t/810335/google-will-block-sideloading-of-unverified-android-apps-starting-next-year |url-status=live |access-date=26 Aug 2025 |website=BleepingComputer}}</ref>.

{{IncidentCargo

|Company=Google

|StartDate=2025-08-25

|EndDate=

|Status=Active

|ProductLine=Android

|Product=

|ArticleType=Product

|Type=Privacy, Third-party

|Description=Google is planning to block Android app installation from sources not vetted by Google in 2026.

}}

On 25 August 2025, '''[[Google]]''' announced that starting in 2026, the company will block the installation of Android apps from outside the Play Store unless the developer has verified their identity with Google. The policy will first roll out in Brazil, Indonesia, Singapore, and Thailand in September 2026 with global enforcement targeted for 2027.<ref name=":0">{{Cite web |last=Frey |first=Suzanne |date=25 Aug 2025 |title=A new layer of security for certified Android devices |url=https://android-developers.googleblog.com/2025/08/elevating-android-security.html |url-status=live |access-date=25 Aug 2025 |website=Android Developers Blog |archive-url=http://web.archive.org/web/20260222032808/https://android-developers.googleblog.com/2025/08/elevating-android-security.html |archive-date=22 Feb 2026}}</ref><ref name=":1">{{Cite web |last=Perez |first=Sarah |date=25 Aug 2025 |title=Google will require developer verification for Android apps outside the Play Store |url=https://techcrunch.com/2025/08/25/google-will-require-developer-verification-for-android-apps-outside-the-play-store/ |url-status=live |access-date=25 Aug 2025 |website=TechCrunch |archive-url=http://web.archive.org/web/20260222040007/https://techcrunch.com/2025/08/25/google-will-require-developer-verification-for-android-apps-outside-the-play-store/ |archive-date=22 Feb 2026}}</ref> This marks a significant change to Android's long-standing support for sideloading apps and has sparked debate among developers, consumers, and digital rights advocates.<ref name=":2">{{Cite web |last=Anderson |first=Tim |date=2025-08-26 |title=Google kneecaps indie Android devs, forces them to register |url=https://www.theregister.com/2025/08/26/android_developer_verification_sideloading |url-status=live |archive-url=https://web.archive.org/web/20250829170329/https://www.theregister.com/2025/08/26/android_developer_verification_sideloading |archive-date=2025-08-29 |access-date=2025-08-26 |website=The Register}}</ref><ref name=":3">{{Cite web |first= |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.bleepingcomputer.com/forums/t/810335/google-will-block-sideloading-of-unverified-android-apps-starting-next-year |url-status=live |access-date=26 Aug 2025 |website=BleepingComputer |archive-url=http://web.archive.org/web/20250829215120/https://www.bleepingcomputer.com/forums/t/810335/google-will-block-sideloading-of-unverified-android-apps-starting-next-year/ |archive-date=29 Aug 2025}}</ref>

==Background==

Android has historically allowed ~~'''~~sideloading~~'''~~, ~~which is~~ installation of apps from outside the ~~official~~ Play Store. ~~They usually allow this only if users enabled “unknown sources”~~ in their device settings. This openness distinguished Android from ~~Apple’s~~ iOS~~, which restricts app installs to its App Store~~. Alternative app stores such as F-Droid ~~and Amazon’s~~ Appstore, ~~as well as direct~~ downloads from sites like APKMirror, thrived under this model <ref>{{Cite web |last=Thomas |first=Dallas |date=14 Sep 2024 |title=The Wild West days of sideloading on Android are officially over in this week's news |url=https://www.androidpolice.com/weekly-android-news-roundup-september-14-2024/ |url-status=live |access-date=25 Aug 2025 |website=Android Police}}</ref>.

The open-source Android operating system has historically allowed [[sideloading]], the installation of apps from outside the Google Play Store. Users would need to enable "unknown sources" in their device settings to make this possible. This level of openness distinguished Android OS from Apple's restrictive iOS that does not allow sideloading. Alternative android app stores, such as F-Droid, Amazon's Appstore, and web downloads from sites like APKMirror, thrived under this model.<ref>{{Cite web |last=Thomas |first=Dallas |date=14 Sep 2024 |title=The Wild West days of sideloading on Android are officially over in this week's news |url=https://www.androidpolice.com/weekly-android-news-roundup-september-14-2024/ |url-status=live |access-date=25 Aug 2025 |website=Android Police |archive-url=http://web.archive.org/web/20251212191111/https://www.androidpolice.com/weekly-android-news-roundup-september-14-2024/ |archive-date=12 Dec 2025}}</ref>

Over time, Google introduced restrictions in the ~~name of~~ security. In 2023, it began requiring Play Store developers to verify their identities~~, which Google said reduced~~ impersonation and malware <ref name=":0" />. Android 13 and ~~Android~~ 15 further limited what sideloaded apps could do, blocking access to sensitive permissions for apps not installed through ~~official~~ channels <ref name=":4">{{Cite web |last=Rahman |first=Mishaal |date=25 Aug 2025 |title=Google wants to make sideloading Android apps safer by verifying ~~developers’~~ identities |url=https://www.androidauthority.com/android-developer-verification-requirements-3590911/ |url-status=live |access-date=26 Aug 2025 |website=Android Authority}}</ref>. These steps laid the groundwork for ~~Google’s~~ new, broader enforcement.

Over time, Google introduced restrictions to the open-source operating system citing security concerns. In 2023, Google began requiring Play Store developers to verify their identities in order to reduce "impersonation and malware."<ref name=":0" /> Android versions 13 and 15 further limited what sideloaded apps could do, blocking access to sensitive permissions for apps not installed through Google's channels.<ref name=":4">{{Cite web |last=Rahman |first=Mishaal |date=25 Aug 2025 |title=Google wants to make sideloading Android apps safer by verifying developers' identities |url=https://www.androidauthority.com/android-developer-verification-requirements-3590911/ |url-status=live |access-date=26 Aug 2025 |website=Android Authority |archive-url=http://web.archive.org/web/20260219183753/https://www.androidauthority.com/android-developer-verification-requirements-3590911/ |archive-date=19 Feb 2026}}</ref> These steps appear to have laid the groundwork for Google's new, broader enforcement.

==Timeline==

On August ~~25,~~ 2025, Google announced that '''apps can only be installed on certified Android devices if their developers have verified their identity with Google''' <ref name=":0" />. Developers must register through a new Android Developer Console, pay a one-time $25 fee (except for hobbyists or students, who will have a separate free path), and provide identifying details such as legal name, address, and government-issued ID <ref name=":1" /><ref name=":2" />. Apps must also be registered with their signing keys to prove ownership <ref name=":2" />.

On 25 August 2025, Google announced that '''apps can only be installed on certified Android devices if their developers have verified their personal identity with Google'''.<ref name=":0" /> Developers must register through a new Android Developer Console, pay a one-time $25 fee (except for hobbyists or students, who will have a separate free path), and provide identifying details such as legal name, address, and government-issued ID.<ref name=":1" /><ref name=":2" /> Apps must also be registered with their signing keys to prove ownership.<ref name=":2" />

The rollout will proceed in stages:

Line 13:

Line 25:

*'''October 2025:''' Early access program for select developers.

*'''March 2026:''' Verification opens for all developers worldwide.

*'''September 2026:''' Enforcement begins in Brazil, Indonesia, Singapore, and Thailand <ref name=":0" />.

*'''September 2026:''' Enforcement begins in Brazil, Indonesia, Singapore, and Thailand.<ref name=":0" />

*'''2027:''' Targeted global rollout, eventually covering nearly all certified Android devices <ref name=":0" /><ref name=":1" />.

*'''2027:''' Targeted global rollout, eventually covering nearly all certified Android devices.<ref name=":0" /><ref name=":1" />

The new system applies to ~~'''~~certified Android devices~~''';~~ phones and tablets that ship with Google Mobile Services (e.g., Pixel, Samsung, Xiaomi). Devices running ~~'''~~uncertified AOSP builds~~'''~~ or custom ROMs (e.g., GrapheneOS, LineageOS) are not subject to this restriction <ref name=":2" />. However, uncertified devices often face app compatibility issues due to SafetyNet/Play Integrity checks <ref name=":2" />.

The new system applies to certified Android devices which are phones and tablets that ship with [[Google Mobile Services]] (e.g., Pixel, Samsung, Xiaomi). Devices running uncertified AOSP builds or custom ROMs (e.g., GrapheneOS, LineageOS) are not subject to this restriction.<ref name=":2" /> However, uncertified devices often face their own sideloading and app compatibility issues, due to SafetyNet/Play Integrity checks.<ref name=":2" />

==Google's response==

Google framed ~~the change~~ as a necessary ~~'''~~security measure~~'''~~ to reduce malware, fraud, and impersonation. The company stated that malware is ~~'''~~50× more common outside the Play Store~~'''~~ and that anonymity allows bad actors to evade accountability <ref name=":0" /><ref name=":2" />. Suzanne Frey, VP of Product for Android, likened the change to an ~~'''~~ID check at the airport~~'''~~: verifying who the developer is without inspecting app content <ref name=":0" />.

Google framed this new policy as a necessary security measure to reduce malware, fraud, and impersonation. The company stated that malware is "50× more common outside the Play Store" and that anonymity allows bad actors to evade accountability.<ref name=":0" /><ref name=":2" /> Suzanne Frey, VP of Product for Android, likened the change to an ID check at the airport: verifying who the developer is without inspecting app content.<ref name=":0" />

Google emphasized that it will not review or police apps distributed outside the Play Store for content, only verify developer identities <ref name=":0" /><ref name=":1" />~~. It highlighted~~ support from industry and institutions, including the Developers Alliance, ~~Brazil’s~~ banking federation FEBRABAN, and ~~Indonesia’s~~ Ministry of Communication and Informatics, all of which praised the move as protecting users from fraud <ref name=":0" /><ref name=":1" />.

Google emphasized that it will not review or police apps distributed outside the Play Store for content, only verify developer identities.<ref name=":0" /><ref name=":1" /> Google's move gained support from some industry and institutions, including the Developers Alliance, Brazil's banking federation FEBRABAN, and Indonesia's Ministry of Communication and Informatics, all of which praised the move as protecting users from fraud.<ref name=":0" /><ref name=":1" />

As backlash mounted, Google took steps to clarify the changes. In late September 2025, an Android Developers Blog Q&A by Android security director Matthew Forsythe reiterated that sideloading is "fundamental to Android" and "absolutely not" going away, stressing the policy's focus on verifying developer identities rather than limiting user choice.<ref name=":7">{{Cite web |date=2025-09-30 |title=Let's talk security: Answering your top questions about Android developer verification |url=https://android-developers.googleblog.com/2025/09/lets-talk-security-answering-your-top.html |url-status=live |access-date=2025-10-27 |website=Android Developers Blog |archive-url=http://web.archive.org/web/20260119211533/https://android-developers.googleblog.com/2025/09/lets-talk-security-answering-your-top.html |archive-date=19 Jan 2026}}</ref> Google assured developers that common workflows remain unaffected; for example, installing test apps via '''[[wikipedia:Android_Debug_Bridge|ADB]]''' will not require verification.<ref name=":7" /> The company also introduced a free "'''limited distribution'''" developer account as well as a new Android Developer Console for students, teachers, and hobbyists, allowing them to publish apps without paying a fee or providing government ID.<ref name=":7" /><ref name=":8">{{Cite web |last=Rahman |first=Mishaal |date=2025-10-02 |title=We finally know how Android's new app verification rules will actually work |url=https://www.androidauthority.com/how-android-app-verification-works-3603559/ |url-status=live |access-date=2025-10-28 |website=Android Authority |archive-url=http://web.archive.org/web/20251228133458/https://www.androidauthority.com/how-android-app-verification-works-3603559/ |archive-date=28 Dec 2025}}</ref> However, these accounts come with significant app distribution restrictions, namely a strict cap on the number of devices that can install their apps. To enforce this restriction, any user of a hobbyist app must retrieve a unique device identifier, and the developer must whitelist that device in the Android Developer Console before the app can be installed.<ref name=":8" /> This two-way device registration limits "free tier" apps to a small, known group of people, whereas anyone aiming to reach a broad audience will need to upgrade to a fully verified paid account.<ref name=":8" />

Google also detailed how the verification enforcement will work. A new system service called the '''Android Developer Verifier''' will check each app at installation to confirm its package name and signing certificate are registered with Google.<ref name=":8" /> Common apps from verified developers can be installed offline thanks to a cached on-device list, but an active internet connection will be required to verify less common apps that aren't in the cache.<ref name=":8" /> To accommodate third-party app stores, Google is developing a "'''pre-auth token'''", a cryptographically signed blob that an alternative app store can pass to the system to pre-verify apps without repeated network calls.<ref name=":8" /> Enforcement of these rules will debut in '''Android 16 QPR2''' (the second quarterly update of Android 16, expected in late 2026), and Google will also update Play Protect on older Android versions to implement similar checks via Google Play Services.<ref name=":8" /> Notably, Google is carving out exceptions for enterprise scenarios: apps deployed through enterprise mobile management on managed work devices will install without developer verification (the assumption being that an organization's IT admin is taking responsibility for those apps' safety).<ref name=":8" /> However, truly offline use cases may prove tricky. Google has noted that entities with devices kept entirely off the internet will need to "determine for themselves" how to handle verification requests (i.e. such devices must periodically connect online to update the trusted app list).<ref name=":8" />

==Consumer response==

The announcement sparked backlash in online communities. On Reddit, users ~~called the change ''“complete bullshit”'' and~~ accused Google of ~~'''~~gradually eroding ~~Android’s~~ openness~~'''~~ <ref name=":5">{{Cite web |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.reddit.com/r/Android/comments/1n0f5zt/google_will_block_sideloading_of_unverified/ |access-date=26 Aug 2025 |website=Reddit}}</ref>. Many argued that Android is becoming indistinguishable from iOS, with some stating they ~~might~~ switch to Apple or Linux since ~~Android’s~~ openness was its key advantage <ref name=":5" />.

The announcement sparked backlash in online communities. On [[Reddit]], users accused Google of gradually eroding Android's openness.<ref name=":5">{{Cite web |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.reddit.com/r/Android/comments/1n0f5zt/google_will_block_sideloading_of_unverified/ |access-date=26 Aug 2025 |website=[[Reddit]] |archive-url=http://web.archive.org/web/20250826174618/https://old.reddit.com/r/Android/comments/1n0f5zt/google_will_block_sideloading_of_unverified/ |archive-date=26 Aug 2025}}</ref> Many argued that Android is becoming indistinguishable from iOS, with some stating that they may switch to operating systems from Apple or Linux since Android's openness was its key advantage.<ref name=":5" /><ref>{{Cite web |last=Schenck |first=Stephen |date=27 Aug 2025 |title=With developer verification, I'm struggling to think of Android as a proper smartphone platform |url=https://www.androidauthority.com/android-developer-registration-3591988/ |url-status=live |archive-url=https://web.archive.org/web/20250828113543/https://www.androidauthority.com/android-developer-registration-3591988/ |archive-date=28 Aug 2025 |access-date=28 Aug 2025 |website=Android Authority}}</ref>

Independent developers raised concerns that hobby projects or sensitive apps (e.g., protest tools, ad-blockers) would be stifled~~, as~~ not all creators are willing to submit government IDs to Google <ref>{{Cite web |date=25 Aug 2025 |title=Google will allow only apps from verified developers to be installed on Android |url=https://news.ycombinator.com/item?id=45017028 |url-status=live |access-date=26 Aug 2025 |website=Hacker News}}</ref><ref name=":6">{{Cite web |date=26 Aug 2025 |title=Google wants to verify all app ~~developers’~~ identities |url=https://discuss.grapheneos.org/d/25235-google-wants-to-verify-all-app-developers-identities |url-status=live |access-date=26 Aug 2025 |website=GrapheneOS Discussion Forum}}</ref>. Open-source communities, including GrapheneOS developers, argued this would discourage FOSS development and give Google exclusive control over ~~Android’s~~ ecosystem <ref name=":6" />.

Independent developers raised concerns that hobby projects or sensitive apps (e.g., protest tools, ad-blockers) would be stifled since not all creators are willing to (or can safely) submit government IDs to Google.<ref>{{Cite web |date=25 Aug 2025 |title=Google will allow only apps from verified developers to be installed on Android |url=https://news.ycombinator.com/item?id=45017028 |url-status=live |access-date=26 Aug 2025 |website=Hacker News |archive-url=http://web.archive.org/web/20251219175237/https://news.ycombinator.com/item?id=45017028 |archive-date=19 Dec 2025}}</ref><ref name=":6">{{Cite web |date=26 Aug 2025 |title=Google wants to verify all app developers' identities |url=https://discuss.grapheneos.org/d/25235-google-wants-to-verify-all-app-developers-identities |url-status=live |access-date=26 Aug 2025 |website=GrapheneOS Discussion Forum |archive-url=http://web.archive.org/web/20251219144142/https://discuss.grapheneos.org/d/25235-google-wants-to-verify-all-app-developers-identities |archive-date=19 Dec 2025}}</ref> Open-source communities, including [[GrapheneOS]] developers, argued this would discourage FOSS development and give Google exclusive control over Android's ecosystem.<ref name=":6" /><ref>{{Cite web |last=Sarang |first= |date=2025-08-26 |title=Finally Over: Google Blocks Sideloading of Android Apps |url=https://www.androidsage.com/2025/08/26/google-blocks-sideloading-of-android-apps/ |url-status=live |archive-url=https://web.archive.org/web/20250827201805/https://www.androidsage.com/2025/08/26/google-blocks-sideloading-of-android-apps/ |archive-date=2025-08-27 |access-date=2025-08-27 |website=Android Sage}}</ref>

Conversely, some security experts and industry groups welcomed the move, calling it a reasonable compromise that still allows third-party distribution while deterring anonymous malware authors <ref name=":0" /><ref name=":2" />. Critics countered that determined attackers could still exploit stolen IDs, and that this introduces a ~~“choke point”~~ giving Google leverage over all app installs <ref name=":3" />.

Conversely, some security experts and industry groups welcomed the move, calling it a reasonable compromise that still allows third-party distribution while deterring anonymous malware authors.<ref name=":0" /><ref name=":2" /> Critics countered that determined attackers could still exploit stolen IDs, and that this introduces a "choke point," giving Google leverage over all app installs.<ref name=":3" />

Regulators had not formally responded within the first 24 hours, but commentators noted that the change resembles ~~Apple’s ''~~'Developer ID~~'''~~ system on macOS and may be ~~Google’s~~ way of tightening control while remaining compliant with the ~~EU’s~~ Digital Markets Act <ref name=":4" /><ref name=":6" />.

Regulators had not formally responded within the first 24 hours, but commentators noted that the change resembles Apple's Developer ID system on macOS and that it may be Google's way of tightening control while remaining compliant with the EU's {{Wplink|Digital Markets Act}}.<ref name=":4" /><ref name=":6" />

By late September 2025, open-source app developers escalated their opposition. The volunteer-run F-Droid app repository warned that Google's plan, if implemented, "will end the F-Droid project and other free/open-source app distribution sources as we know them today."<ref name=":9">{{Cite web |last=Anderson |first=Tim |date=2025-09-29 |title=Google's dev registration plan 'will end the F-Droid project' |url=https://www.theregister.com/2025/09/29/googles_dev_registration_plan_will/ |access-date=2025-10-28 |website=The Register |archive-url=http://web.archive.org/web/20260119211449/https://www.theregister.com/2025/09/29/googles_dev_registration_plan_will/ |archive-date=19 Jan 2026}}</ref> F-Droid cannot comply with a centralized registration regime; its team builds apps from source code and signs them with its own cryptographic keys so it cannot simply have each apps' original author register and hand over a signing identity without fundamentally changing F-Droid's model.<ref name=":10">{{Cite web |last=Prud'hommeaux |first=Marc |date=2025-09-29 |title=F-Droid and Google's Developer Registration Decree |url=https://f-droid.org/2025/09/29/google-developer-registration-decree.html |url-status=live |access-date=2025-10-27 |website=F-Droid |archive-url=http://web.archive.org/web/20260119212107/https://f-droid.org/2025/09/29/google-developer-registration-decree.html |archive-date=19 Jan 2026}}</ref>

Google offered a limited concession for situations where the same app exists in multiple stores: in rare cases, it will allow duplicate package names if one version has a significantly smaller user base (meaning the developer of the less-installed version might be asked to change their app's identifier).<ref name=":8" /> In practice this would do little to help F-Droid. Many apps on F-Droid share a package name with a more popular Google Play version, so Google's policy would effectively treat the Play developer as the rightful owner and force the F-Droid variant to disappear or rebrand, an outcome that violates F-Droid's core philosophy.<ref name=":8" />

The F-Droid team argued that Google is using security as a pretext to consolidate power over software distribution, especially since even the Play Store has repeatedly hosted malware despite all its checks.<ref name=":9" /><ref name=":10" /> In an official statement, F-Droid appealed to regulators and competition authorities around the world, citing the EU's Digital Markets Act, to scrutinize Google's proposal and protect the ability of alternative app stores and open-source developers to operate freely.<ref name=":10" />

Privacy and free-speech advocates also raised concerns. Requiring every app developer to verify their real-world identity would eliminate anonymity for creators of apps used in sensitive contexts, for example by political dissidents or whistleblowers.<ref>{{Cite web |last=Holwerda |first=Thom |date=2025-10-02 |title=Google details Android developer certification requirement, and it's as bad as we feared |url=https://www.osnews.com/story/143467/google-details-android-developer-certification-requirement-and-its-as-bad-as-we-feared/ |url-status=live |archive-url=https://web.archive.org/web/20251009112107/https://www.osnews.com/story/143467/google-details-android-developer-certification-requirement-and-its-as-bad-as-we-feared/ |archive-date=2025-10-09 |access-date=2025-10-29 |website=osnews}}</ref> Google acknowledged that legitimate reasons for developer anonymity exist and stated it won't publicly disclose developer information, but the company did not promise to withhold that information from governments should they seek it.<ref name=":8" /> Google's stance is that the status quo (allowing anonymous app distribution) poses risks it can no longer accept.<ref name=":8" />

Some former Android team members have also lamented the platform's direction. Jean-Baptiste Quéru, a founding Android engineer who led the Android Open Source Project, remarked that when he worked on Android, goals included keeping the app ecosystem "as open as the web" and letting users run their own builds, but "12 years later, this seems to have all died".<ref>{{Cite web |last=Holwerda |first=Thom |date=2025-09-29 |title=Google's Android developer registration requirement will kill F-Droid |url=https://www.osnews.com/story/143450/googles-android-developer-registration-requirement-will-kill-f-droid/ |url-status=live |archive-url=https://web.archive.org/web/20251009111928/https://www.osnews.com/story/143450/googles-android-developer-registration-requirement-will-kill-f-droid/ |archive-date=2025-10-09 |access-date=2025-10-29 |website=osnews}}</ref>

A website titled https://keepandroidopen.org/ was created to push back against Google's decision. It was endorsed by F-Droid in a blog post as a way for users to take action.

==References==

~~<references />~~

[[Category:Incidents]]

[[Category:Android]]

[[Category:Google]]

@@ Line 1: / Line 1: @@
-On August 25, 2025, Google announced that starting in 2026 it will block the installation of Android apps from outside the Play Store unless the developer has verified their identity with Google. The policy will first roll out in Brazil, Indonesia, Singapore, and Thailand in September 2026, with global enforcement targeted for 2027 <ref name=":0">{{Cite web |last=Frey |first=Suzanne |date=25 Aug 2025 |title=A new layer of security for certified Android devices |url=https://android-developers.googleblog.com/2025/08/elevating-android-security.html |url-status=live |access-date=25 Aug 2025 |website=Android Developers Blog}}</ref><ref name=":1">{{Cite web |last=Perez |first=Sarah |date=25 Aug 2025 |title=Google will require developer verification for Android apps outside the Play Store |url=https://techcrunch.com/2025/08/25/google-will-require-developer-verification-for-android-apps-outside-the-play-store/ |url-status=live |access-date=25 Aug 2025 |website=TechCrunch}}</ref>. This marks a significant change to Android’s long-standing support for sideloading apps and has sparked debate among developers, consumers, and digital rights advocates <ref name=":2">{{Cite web |last=Anderson |first=Tim |date=26 Aug 2025 |title=Google kneecaps indie Android devs, forces them to register |url=https://www.theregister.com/2025/08/26/android_developer_verification_sideloading |url-status=live |access-date=26 Aug 2025 |website=The Register}}</ref><ref name=":3">{{Cite web |first= |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.bleepingcomputer.com/forums/t/810335/google-will-block-sideloading-of-unverified-android-apps-starting-next-year |url-status=live |access-date=26 Aug 2025 |website=BleepingComputer}}</ref>.
+{{OngoingEvent}}
+{{IncidentCargo
+|Company=Google
+|StartDate=2025-08-25
+|EndDate=
+|Status=Active
+|ProductLine=Android
+|Product=
+|ArticleType=Product
+|Type=Privacy, Third-party
+|Description=Google is planning to block Android app installation from sources not vetted by Google in 2026.
+}}
+On 25 August 2025, '''[[Google]]''' announced that starting in 2026, the company will block the installation of Android apps from outside the Play Store unless the developer has verified their identity with Google. The policy will first roll out in Brazil, Indonesia, Singapore, and Thailand in September 2026 with global enforcement targeted for 2027.<ref name=":0">{{Cite web |last=Frey |first=Suzanne |date=25 Aug 2025 |title=A new layer of security for certified Android devices |url=https://android-developers.googleblog.com/2025/08/elevating-android-security.html |url-status=live |access-date=25 Aug 2025 |website=Android Developers Blog |archive-url=http://web.archive.org/web/20260222032808/https://android-developers.googleblog.com/2025/08/elevating-android-security.html |archive-date=22 Feb 2026}}</ref><ref name=":1">{{Cite web |last=Perez |first=Sarah |date=25 Aug 2025 |title=Google will require developer verification for Android apps outside the Play Store |url=https://techcrunch.com/2025/08/25/google-will-require-developer-verification-for-android-apps-outside-the-play-store/ |url-status=live |access-date=25 Aug 2025 |website=TechCrunch |archive-url=http://web.archive.org/web/20260222040007/https://techcrunch.com/2025/08/25/google-will-require-developer-verification-for-android-apps-outside-the-play-store/ |archive-date=22 Feb 2026}}</ref> This marks a significant change to Android's long-standing support for sideloading apps and has sparked debate among developers, consumers, and digital rights advocates.<ref name=":2">{{Cite web |last=Anderson |first=Tim |date=2025-08-26 |title=Google kneecaps indie Android devs, forces them to register |url=https://www.theregister.com/2025/08/26/android_developer_verification_sideloading |url-status=live |archive-url=https://web.archive.org/web/20250829170329/https://www.theregister.com/2025/08/26/android_developer_verification_sideloading |archive-date=2025-08-29 |access-date=2025-08-26 |website=The Register}}</ref><ref name=":3">{{Cite web |first= |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.bleepingcomputer.com/forums/t/810335/google-will-block-sideloading-of-unverified-android-apps-starting-next-year |url-status=live |access-date=26 Aug 2025 |website=BleepingComputer |archive-url=http://web.archive.org/web/20250829215120/https://www.bleepingcomputer.com/forums/t/810335/google-will-block-sideloading-of-unverified-android-apps-starting-next-year/ |archive-date=29 Aug 2025}}</ref>
 ==Background==
-Android has historically allowed '''sideloading''', which is installation of apps from outside the official Play Store. They usually allow this only if users enabled “unknown sources” in their device settings. This openness distinguished Android from Apple’s iOS, which restricts app installs to its App Store. Alternative app stores such as F-Droid and Amazon’s Appstore, as well as direct downloads from sites like APKMirror, thrived under this model <ref>{{Cite web |last=Thomas |first=Dallas |date=14 Sep 2024 |title=The Wild West days of sideloading on Android are officially over in this week's news |url=https://www.androidpolice.com/weekly-android-news-roundup-september-14-2024/ |url-status=live |access-date=25 Aug 2025 |website=Android Police}}</ref>.
+The open-source Android operating system has historically allowed [[sideloading]], the installation of apps from outside the Google Play Store. Users would need to enable "unknown sources" in their device settings to make this possible. This level of openness distinguished Android OS from Apple's restrictive iOS that does not allow sideloading. Alternative android app stores, such as F-Droid, Amazon's Appstore, and web downloads from sites like APKMirror, thrived under this model.<ref>{{Cite web |last=Thomas |first=Dallas |date=14 Sep 2024 |title=The Wild West days of sideloading on Android are officially over in this week's news |url=https://www.androidpolice.com/weekly-android-news-roundup-september-14-2024/ |url-status=live |access-date=25 Aug 2025 |website=Android Police |archive-url=http://web.archive.org/web/20251212191111/https://www.androidpolice.com/weekly-android-news-roundup-september-14-2024/ |archive-date=12 Dec 2025}}</ref>
-Over time, Google introduced restrictions in the name of security. In 2023, it began requiring Play Store developers to verify their identities, which Google said reduced impersonation and malware <ref name=":0" />. Android 13 and Android 15 further limited what sideloaded apps could do, blocking access to sensitive permissions for apps not installed through official channels <ref name=":4">{{Cite web |last=Rahman |first=Mishaal |date=25 Aug 2025 |title=Google wants to make sideloading Android apps safer by verifying developers’ identities |url=https://www.androidauthority.com/android-developer-verification-requirements-3590911/ |url-status=live |access-date=26 Aug 2025 |website=Android Authority}}</ref>. These steps laid the groundwork for Google’s new, broader enforcement.
+Over time, Google introduced restrictions to the open-source operating system citing security concerns. In 2023, Google began requiring Play Store developers to verify their identities in order to reduce "impersonation and malware."<ref name=":0" /> Android versions 13 and 15 further limited what sideloaded apps could do, blocking access to sensitive permissions for apps not installed through Google's channels.<ref name=":4">{{Cite web |last=Rahman |first=Mishaal |date=25 Aug 2025 |title=Google wants to make sideloading Android apps safer by verifying developers' identities |url=https://www.androidauthority.com/android-developer-verification-requirements-3590911/ |url-status=live |access-date=26 Aug 2025 |website=Android Authority |archive-url=http://web.archive.org/web/20260219183753/https://www.androidauthority.com/android-developer-verification-requirements-3590911/ |archive-date=19 Feb 2026}}</ref> These steps appear to have laid the groundwork for Google's new, broader enforcement.
 ==Timeline==
-On August 25, 2025, Google announced that '''apps can only be installed on certified Android devices if their developers have verified their identity with Google''' <ref name=":0" />. Developers must register through a new Android Developer Console, pay a one-time $25 fee (except for hobbyists or students, who will have a separate free path), and provide identifying details such as legal name, address, and government-issued ID <ref name=":1" /><ref name=":2" />. Apps must also be registered with their signing keys to prove ownership <ref name=":2" />.
+On 25 August 2025, Google announced that '''apps can only be installed on certified Android devices if their developers have verified their personal identity with Google'''.<ref name=":0" /> Developers must register through a new Android Developer Console, pay a one-time $25 fee (except for hobbyists or students, who will have a separate free path), and provide identifying details such as legal name, address, and government-issued ID.<ref name=":1" /><ref name=":2" /> Apps must also be registered with their signing keys to prove ownership.<ref name=":2" />
 The rollout will proceed in stages:
@@ Line 13: / Line 25: @@
 *'''October 2025:''' Early access program for select developers.
 *'''March 2026:''' Verification opens for all developers worldwide.
-*'''September 2026:''' Enforcement begins in Brazil, Indonesia, Singapore, and Thailand <ref name=":0" />.
+*'''September 2026:''' Enforcement begins in Brazil, Indonesia, Singapore, and Thailand.<ref name=":0" />
-*'''2027:''' Targeted global rollout, eventually covering nearly all certified Android devices <ref name=":0" /><ref name=":1" />.
+*'''2027:''' Targeted global rollout, eventually covering nearly all certified Android devices.<ref name=":0" /><ref name=":1" />
-The new system applies to '''certified Android devices'''; phones and tablets that ship with Google Mobile Services (e.g., Pixel, Samsung, Xiaomi). Devices running '''uncertified AOSP builds''' or custom ROMs (e.g., GrapheneOS, LineageOS) are not subject to this restriction <ref name=":2" />. However, uncertified devices often face app compatibility issues due to SafetyNet/Play Integrity checks <ref name=":2" />.
+The new system applies to certified Android devices which are phones and tablets that ship with [[Google Mobile Services]] (e.g., Pixel, Samsung, Xiaomi). Devices running uncertified AOSP builds or custom ROMs (e.g., GrapheneOS, LineageOS) are not subject to this restriction.<ref name=":2" /> However, uncertified devices often face their own sideloading and app compatibility issues, due to SafetyNet/Play Integrity checks.<ref name=":2" />
 ==Google's response==
-Google framed the change as a necessary '''security measure''' to reduce malware, fraud, and impersonation. The company stated that malware is '''50× more common outside the Play Store''' and that anonymity allows bad actors to evade accountability <ref name=":0" /><ref name=":2" />. Suzanne Frey, VP of Product for Android, likened the change to an '''ID check at the airport''': verifying who the developer is without inspecting app content <ref name=":0" />.
+Google framed this new policy as a necessary security measure to reduce malware, fraud, and impersonation. The company stated that malware is "50× more common outside the Play Store" and that anonymity allows bad actors to evade accountability.<ref name=":0" /><ref name=":2" /> Suzanne Frey, VP of Product for Android, likened the change to an ID check at the airport: verifying who the developer is without inspecting app content.<ref name=":0" />
-Google emphasized that it will not review or police apps distributed outside the Play Store for content, only verify developer identities <ref name=":0" /><ref name=":1" />. It highlighted support from industry and institutions, including the Developers Alliance, Brazil’s banking federation FEBRABAN, and Indonesia’s Ministry of Communication and Informatics, all of which praised the move as protecting users from fraud <ref name=":0" /><ref name=":1" />.
+Google emphasized that it will not review or police apps distributed outside the Play Store for content, only verify developer identities.<ref name=":0" /><ref name=":1" /> Google's move gained support from some industry and institutions, including the Developers Alliance, Brazil's banking federation FEBRABAN, and Indonesia's Ministry of Communication and Informatics, all of which praised the move as protecting users from fraud.<ref name=":0" /><ref name=":1" />
+As backlash mounted, Google took steps to clarify the changes. In late September 2025, an Android Developers Blog Q&A by Android security director Matthew Forsythe reiterated that sideloading is "fundamental to Android" and "absolutely not" going away, stressing the policy's focus on verifying developer identities rather than limiting user choice.<ref name=":7">{{Cite web |date=2025-09-30 |title=Let's talk security: Answering your top questions about Android developer verification |url=https://android-developers.googleblog.com/2025/09/lets-talk-security-answering-your-top.html |url-status=live |access-date=2025-10-27 |website=Android Developers Blog |archive-url=http://web.archive.org/web/20260119211533/https://android-developers.googleblog.com/2025/09/lets-talk-security-answering-your-top.html |archive-date=19 Jan 2026}}</ref> Google assured developers that common workflows remain unaffected; for example, installing test apps via '''[[wikipedia:Android_Debug_Bridge|ADB]]''' will not require verification.<ref name=":7" /> The company also introduced a free "'''limited distribution'''" developer account as well as a new Android Developer Console for students, teachers, and hobbyists, allowing them to publish apps without paying a fee or providing government ID.<ref name=":7" /><ref name=":8">{{Cite web |last=Rahman |first=Mishaal |date=2025-10-02 |title=We finally know how Android's new app verification rules will actually work |url=https://www.androidauthority.com/how-android-app-verification-works-3603559/ |url-status=live |access-date=2025-10-28 |website=Android Authority |archive-url=http://web.archive.org/web/20251228133458/https://www.androidauthority.com/how-android-app-verification-works-3603559/ |archive-date=28 Dec 2025}}</ref> However, these accounts come with significant app distribution restrictions, namely a strict cap on the number of devices that can install their apps. To enforce this restriction, any user of a hobbyist app must retrieve a unique device identifier, and the developer must whitelist that device in the Android Developer Console before the app can be installed.<ref name=":8" /> This two-way device registration limits "free tier" apps to a small, known group of people, whereas anyone aiming to reach a broad audience will need to upgrade to a fully verified paid account.<ref name=":8" />
+Google also detailed how the verification enforcement will work. A new system service called the '''Android Developer Verifier''' will check each app at installation to confirm its package name and signing certificate are registered with Google.<ref name=":8" /> Common apps from verified developers can be installed offline thanks to a cached on-device list, but an active internet connection will be required to verify less common apps that aren't in the cache.<ref name=":8" /> To accommodate third-party app stores, Google is developing a "'''pre-auth token'''", a cryptographically signed blob that an alternative app store can pass to the system to pre-verify apps without repeated network calls.<ref name=":8" /> Enforcement of these rules will debut in '''Android 16 QPR2''' (the second quarterly update of Android 16, expected in late 2026), and Google will also update Play Protect on older Android versions to implement similar checks via Google Play Services.<ref name=":8" /> Notably, Google is carving out exceptions for enterprise scenarios: apps deployed through enterprise mobile management on managed work devices will install without developer verification (the assumption being that an organization's IT admin is taking responsibility for those apps' safety).<ref name=":8" /> However, truly offline use cases may prove tricky. Google has noted that entities with devices kept entirely off the internet will need to "determine for themselves" how to handle verification requests (i.e. such devices must periodically connect online to update the trusted app list).<ref name=":8" />
 ==Consumer response==
-The announcement sparked backlash in online communities. On Reddit, users called the change ''“complete bullshit”'' and accused Google of '''gradually eroding Android’s openness''' <ref name=":5">{{Cite web |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.reddit.com/r/Android/comments/1n0f5zt/google_will_block_sideloading_of_unverified/ |access-date=26 Aug 2025 |website=Reddit}}</ref>. Many argued that Android is becoming indistinguishable from iOS, with some stating they might switch to Apple or Linux since Android’s openness was its key advantage <ref name=":5" />.
+The announcement sparked backlash in online communities. On [[Reddit]], users accused Google of gradually eroding Android's openness.<ref name=":5">{{Cite web |date=26 Aug 2025 |title=Google will block sideloading of unverified Android apps starting next year |url=https://www.reddit.com/r/Android/comments/1n0f5zt/google_will_block_sideloading_of_unverified/ |access-date=26 Aug 2025 |website=[[Reddit]] |archive-url=http://web.archive.org/web/20250826174618/https://old.reddit.com/r/Android/comments/1n0f5zt/google_will_block_sideloading_of_unverified/ |archive-date=26 Aug 2025}}</ref> Many argued that Android is becoming indistinguishable from iOS, with some stating that they may switch to operating systems from Apple or Linux since Android's openness was its key advantage.<ref name=":5" /><ref>{{Cite web |last=Schenck |first=Stephen |date=27 Aug 2025 |title=With developer verification, I'm struggling to think of Android as a proper smartphone platform |url=https://www.androidauthority.com/android-developer-registration-3591988/ |url-status=live |archive-url=https://web.archive.org/web/20250828113543/https://www.androidauthority.com/android-developer-registration-3591988/ |archive-date=28 Aug 2025 |access-date=28 Aug 2025 |website=Android Authority}}</ref>
-Independent developers raised concerns that hobby projects or sensitive apps (e.g., protest tools, ad-blockers) would be stifled, as not all creators are willing to submit government IDs to Google <ref>{{Cite web |date=25 Aug 2025 |title=Google will allow only apps from verified developers to be installed on Android |url=https://news.ycombinator.com/item?id=45017028 |url-status=live |access-date=26 Aug 2025 |website=Hacker News}}</ref><ref name=":6">{{Cite web |date=26 Aug 2025 |title=Google wants to verify all app developers’ identities |url=https://discuss.grapheneos.org/d/25235-google-wants-to-verify-all-app-developers-identities |url-status=live |access-date=26 Aug 2025 |website=GrapheneOS Discussion Forum}}</ref>. Open-source communities, including GrapheneOS developers, argued this would discourage FOSS development and give Google exclusive control over Android’s ecosystem <ref name=":6" />.
+Independent developers raised concerns that hobby projects or sensitive apps (e.g., protest tools, ad-blockers) would be stifled since not all creators are willing to (or can safely) submit government IDs to Google.<ref>{{Cite web |date=25 Aug 2025 |title=Google will allow only apps from verified developers to be installed on Android |url=https://news.ycombinator.com/item?id=45017028 |url-status=live |access-date=26 Aug 2025 |website=Hacker News |archive-url=http://web.archive.org/web/20251219175237/https://news.ycombinator.com/item?id=45017028 |archive-date=19 Dec 2025}}</ref><ref name=":6">{{Cite web |date=26 Aug 2025 |title=Google wants to verify all app developers' identities |url=https://discuss.grapheneos.org/d/25235-google-wants-to-verify-all-app-developers-identities |url-status=live |access-date=26 Aug 2025 |website=GrapheneOS Discussion Forum |archive-url=http://web.archive.org/web/20251219144142/https://discuss.grapheneos.org/d/25235-google-wants-to-verify-all-app-developers-identities |archive-date=19 Dec 2025}}</ref> Open-source communities, including [[GrapheneOS]] developers, argued this would discourage FOSS development and give Google exclusive control over Android's ecosystem.<ref name=":6" /><ref>{{Cite web |last=Sarang |first= |date=2025-08-26 |title=Finally Over: Google Blocks Sideloading of Android Apps |url=https://www.androidsage.com/2025/08/26/google-blocks-sideloading-of-android-apps/ |url-status=live |archive-url=https://web.archive.org/web/20250827201805/https://www.androidsage.com/2025/08/26/google-blocks-sideloading-of-android-apps/ |archive-date=2025-08-27 |access-date=2025-08-27 |website=Android Sage}}</ref>
-Conversely, some security experts and industry groups welcomed the move, calling it a reasonable compromise that still allows third-party distribution while deterring anonymous malware authors <ref name=":0" /><ref name=":2" />. Critics countered that determined attackers could still exploit stolen IDs, and that this introduces a “choke point” giving Google leverage over all app installs <ref name=":3" />.
+Conversely, some security experts and industry groups welcomed the move, calling it a reasonable compromise that still allows third-party distribution while deterring anonymous malware authors.<ref name=":0" /><ref name=":2" /> Critics countered that determined attackers could still exploit stolen IDs, and that this introduces a "choke point," giving Google leverage over all app installs.<ref name=":3" />
-Regulators had not formally responded within the first 24 hours, but commentators noted that the change resembles Apple’s '''Developer ID''' system on macOS and may be Google’s way of tightening control while remaining compliant with the EU’s Digital Markets Act <ref name=":4" /><ref name=":6" />.
+Regulators had not formally responded within the first 24 hours, but commentators noted that the change resembles Apple's Developer ID system on macOS and that it may be Google's way of tightening control while remaining compliant with the EU's {{Wplink|Digital Markets Act}}.<ref name=":4" /><ref name=":6" />
+By late September 2025, open-source app developers escalated their opposition. The volunteer-run F-Droid app repository warned that Google's plan, if implemented, "will end the F-Droid project and other free/open-source app distribution sources as we know them today."<ref name=":9">{{Cite web |last=Anderson |first=Tim |date=2025-09-29 |title=Google's dev registration plan 'will end the F-Droid project' |url=https://www.theregister.com/2025/09/29/googles_dev_registration_plan_will/ |access-date=2025-10-28 |website=The Register |archive-url=http://web.archive.org/web/20260119211449/https://www.theregister.com/2025/09/29/googles_dev_registration_plan_will/ |archive-date=19 Jan 2026}}</ref> F-Droid cannot comply with a centralized registration regime; its team builds apps from source code and signs them with its own cryptographic keys so it cannot simply have each apps' original author register and hand over a signing identity without fundamentally changing F-Droid's model.<ref name=":10">{{Cite web |last=Prud'hommeaux |first=Marc |date=2025-09-29 |title=F-Droid and Google's Developer Registration Decree |url=https://f-droid.org/2025/09/29/google-developer-registration-decree.html |url-status=live |access-date=2025-10-27 |website=F-Droid |archive-url=http://web.archive.org/web/20260119212107/https://f-droid.org/2025/09/29/google-developer-registration-decree.html |archive-date=19 Jan 2026}}</ref>
+Google offered a limited concession for situations where the same app exists in multiple stores: in rare cases, it will allow duplicate package names if one version has a significantly smaller user base (meaning the developer of the less-installed version might be asked to change their app's identifier).<ref name=":8" /> In practice this would do little to help F-Droid. Many apps on F-Droid share a package name with a more popular Google Play version, so Google's policy would effectively treat the Play developer as the rightful owner and force the F-Droid variant to disappear or rebrand, an outcome that violates F-Droid's core philosophy.<ref name=":8" />
+The F-Droid team argued that Google is using security as a pretext to consolidate power over software distribution, especially since even the Play Store has repeatedly hosted malware despite all its checks.<ref name=":9" /><ref name=":10" /> In an official statement, F-Droid appealed to regulators and competition authorities around the world, citing the EU's Digital Markets Act, to scrutinize Google's proposal and protect the ability of alternative app stores and open-source developers to operate freely.<ref name=":10" />
+Privacy and free-speech advocates also raised concerns. Requiring every app developer to verify their real-world identity would eliminate anonymity for creators of apps used in sensitive contexts, for example by political dissidents or whistleblowers.<ref>{{Cite web |last=Holwerda |first=Thom |date=2025-10-02 |title=Google details Android developer certification requirement, and it's as bad as we feared |url=https://www.osnews.com/story/143467/google-details-android-developer-certification-requirement-and-its-as-bad-as-we-feared/ |url-status=live |archive-url=https://web.archive.org/web/20251009112107/https://www.osnews.com/story/143467/google-details-android-developer-certification-requirement-and-its-as-bad-as-we-feared/ |archive-date=2025-10-09 |access-date=2025-10-29 |website=osnews}}</ref> Google acknowledged that legitimate reasons for developer anonymity exist and stated it won't publicly disclose developer information, but the company did not promise to withhold that information from governments should they seek it.<ref name=":8" /> Google's stance is that the status quo (allowing anonymous app distribution) poses risks it can no longer accept.<ref name=":8" />
+Some former Android team members have also lamented the platform's direction. Jean-Baptiste Quéru, a founding Android engineer who led the Android Open Source Project, remarked that when he worked on Android, goals included keeping the app ecosystem "as open as the web" and letting users run their own builds, but "12 years later, this seems to have all died".<ref>{{Cite web |last=Holwerda |first=Thom |date=2025-09-29 |title=Google's Android developer registration requirement will kill F-Droid |url=https://www.osnews.com/story/143450/googles-android-developer-registration-requirement-will-kill-f-droid/ |url-status=live |archive-url=https://web.archive.org/web/20251009111928/https://www.osnews.com/story/143450/googles-android-developer-registration-requirement-will-kill-f-droid/ |archive-date=2025-10-09 |access-date=2025-10-29 |website=osnews}}</ref>
+A website titled https://keepandroidopen.org/ was created to push back against Google's decision. It was endorsed by F-Droid in a blog post as a way for users to take action.
 ==References==
-<references />
+{{Reflist}}
 [[Category:Incidents]]
+[[Category:Android]]
+[[Category:Google]]