Consumer Rights Wiki

Android Developer Verification: Difference between revisions

← Older edit
VisualWikitext
ZoomySmile (talk | contribs)
confirmed
2 edits
updating wording of this article
Add additional reference for 50% install ownership threshold
 
(6 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{StubNotice}}
{{IncidentCargo
{{IncidentCargo
|Company=Google
|Company=Google
Line 12: Line 10:
}}
}}


On August 25th 2025, Google has announced an upcoming application installation restriction on Google-certified Android devices, unless the developer is registered and verified through their Developer Verification program, which in some cases requires a legal identity document verification as well as a flat fee.
On August 25th, 2025, [[Google]] announced an upcoming application installation restriction on Google-certified [[Android]] devices, requiring '''all''' developers to register & verify their identity through the Developer Verification program before their apps can be installed on Android devices. This requirement extends to '''''all''''' installation methods including sideloading, third-party app stores, & direct APK installations. This is a giant shift from android's traditionally open ecosystem.


==Background==
==Background==
On the Android mobile operating system, the user can, currently, freely install applications developed by anyone, with no kinds of penalty as to their origin, feature set or purpose. The only requirements is that the application follows the technical guidelines, that ensure that the application will be functional on the device, and is signed with any kind of certificate, which is required to maintain a chain of trust during application updates.
Android has historically allowed users to freely install applications from any source (sometimes called [[sideloading]]). This openness differentiated Android from competitors like iOS. It enabled alternative app stores, open-source repositories like [[F-Droid]], & direct developer-to-user distribution. The only technical requirements were that applications follow Android's technical guidelines for functionality & be signed with any certificate to maintain a chain of trust during updates.
 
This openness has been a defining characteristic of Android since its inception, supporting many different use cases from enterprise deployments to privacy-focused distributions. Google has defended this approach in antitrust proceedings, with Google's lawyers arguing in the [[Epic Games]] case that "Android and Google Play provide more choice and openness than any other major mobile platform"<ref>{{Cite web |date=2023-12-11 |title=Fortnite maker Epic Games wins its antitrust fight against Google |url=https://techcrunch.com/2023/12/11/epic-games-google-antitrust-win/ |access-date=2025-08-29 |website=TechCrunch}}</ref> & that the company's app store practices were "part of its fierce competition with Apple"<ref>{{Cite web |date=2023-12-12 |title=Epic Games wins antitrust lawsuit against Google |url=https://www.washingtonpost.com/technology/2023/12/11/epic-google-trial-verdict/ |access-date=2025-08-29 |website=The Washington Post}}</ref>.
 
==Announcement and rationale==
Google announced the Developer Verification requirements on August 25th, 2025, through the Android Developers Blog<ref>{{Cite web |date=2025-08-25 |title=Android Developers Blog: A new layer of security for certified Android devices |url=https://android-developers.googleblog.com/2025/08/elevating-android-security.html |url-status=live |archive-url=https://web.archive.org/web/20250825180832/https://android-developers.googleblog.com/2025/08/elevating-android-security.html |archive-date=2025-08-25 |access-date=2025-08-25}}</ref>. According to Suzanne Frey, VP of Product, Trust & Growth for Android, the system is designed to combat malicious actors who "''hide behind anonymity to harm users by impersonating developers and using their brand image to create convincing fake apps."''
 
Google cited security statistics showing ''"over 50 times more malware from internet-sideloaded sources than on apps available through Google Play"''<ref>{{Cite web |date=2025-08-25 |title=Google will require developer verification to install Android apps, including sideloading |url=https://9to5google.com/2025/08/25/android-apps-developer-verification/ |website=9to5Google |access-date=2025-08-29}}</ref>. The company framed the verification as ''"an ID check at the airport, which confirms a traveler's identity but is separate from the security screening of their bags."''
 
===Implementation timeline===
The implementation will be conducted in global rollout phases<ref>{{Cite web |date=2025-08-25 |title=Android developer verification {{!}} Android Developers |url=https://developer.android.com/developer-verification |url-status=live |access-date=2025-08-29}}</ref>:
 
*'''October 2025''': Early access opens for invited developers
*'''March 2026''': Open to all developers
*'''September 2026''': Enforcement begins in Brazil, Indonesia, Singapore, and Thailand
*'''2027 and beyond''': Global rollout continues
 
Key implementation details:
*No grandfather clauses for existing apps or developers
*Play Store developers likely already meet requirements through 2023's D-U-N-S implementation
*Organizations requiring D-U-N-S numbers should begin the process 28 days before deadlines
*Developers can initiate verification 60 days before enforcement
*90-day deadline extensions available for developers needing additional time
*After deadlines, users encounter system-level blocks with no override option when attempting to install unverified apps
 
==Technical implementation==
 
===Distribution types===
The Developer Verification system creates two tiers of developer accounts<ref>{{Cite web |date=2025-08-25 |title=Android developer verification {{!}} Android Developers |url=https://developer.android.com/developer-verification/guides/android-developer-console |url-status=live |archive-url=https://web.archive.org/web/20250825204008/https://developer.android.com/developer-verification/guides/android-developer-console |archive-date=2025-08-25 |access-date=2025-08-25}}</ref>:
 
====Full distribution====
*Intended for ''"organizations and professional developers with wide distribution"''
*Requires a one-time $25 fee
*Requires complete identity verification including:
**Government-issued photo ID
**Proof of address
**For organizations: D-U-N-S number (can take up to 28 days to obtain)
*No limits on app numbers or installations
 
====Limited distribution====
*Intended for ''"students, hobbyists, and other personal use"''
*Free registration
*Has ''"capped number of apps and installs"'' (specific limits not disclosed)
*Identity verification requirements unclear
 
===Package name registration===
Developers must register package names before apps can be installed. The system creates a cryptographic link between developer identity & app signing keys. Ownership priority is determined by installation statistics - developers whose signing keys account for over 50% of known installs receive registration priority<ref>{{Cite web |date=2025-08-25 |title=Updates to Play Console for Android developer verification: A first look |url=https://developer.android.com/developer-verification/assets/pdfs/updates-to-play-console-for-android-developer-verification.pdf |website=Android Developers |access-date=2025-09-01}}</ref><ref>{{Cite web |date=2025-08-25 |title=Resources {{!}} Android developer verification {{!}} Android Developers |url=https://developer.android.com/developer-verification/guides/resources |website=Android Developers |access-date=2025-08-25}}</ref>.
 
===Affected devices===
The requirements apply to all ''"[https://www.android.com/certified/partners/ Google-certified Android devices]"'' which includes:
*Devices with Google Play Store
*Devices with Google Mobile Services (GMS)
*Devices with Play Protect
*All mainstream Android devices from manufacturers including Samsung, Xiaomi, Motorola, OnePlus, and Google Pixel
 
Custom ROMs without Google services & uncertified devices are not affected by these restrictions.
 
==Developer response==
 
===Technical concerns===
Prominent Android developer Mark Murphy (CommonsWare) raised several technical concerns<ref>{{Cite web |date=2025-08-26 |title=Uncomfortable Questions About Android Developer Verification |url=https://commonsware.com/blog/2025/08/26/uncomfortable-questions-android-developer-verification.html |website=CommonsWare |access-date=2025-08-29}}</ref>:
*Debug keystore handling for development workflows remains unaddressed
*Sample code from Android development books would become unusable as "at most one person on the entire planet" could register each package name
*Beta testing workflows using different package names face complications
*Questions whether "it will no longer be possible to test apps under development on Google-certified production hardware" after 2027
 
===Privacy and safety concerns===
Developers expressed significant privacy concerns:
*Murphy cited the ICEBlock app developer who faced federal prosecution threats after identity disclosure, with his wife being fired from a DOJ job
*Google's privacy policy allows sharing developer information with ''"trusted businesses or persons"'' without clear restrictions<ref>{{Cite web |date=2025-08-29 |title=Android Security or Vendor Lock-In? Google's New Sideloading Rules Smell Fishy |url=https://news.itsfoss.com/new-android-sideloading-rules/ |website=It's FOSS |access-date=2025-08-29}}</ref>
*Open source developers fear harassment and doxxing after forced identity disclosure
 
===Open source community impact===
The F-Droid community reacted strongly, with one forum member stating: "F*** Google. Use GrapheneOS to drop Android... I find this development downright alarming"<ref>{{Cite web |title=FAQ - App Developers {{!}} F-Droid - Free and Open Source Android App Repository |url=https://f-droid.org/en/docs/FAQ_-_App_Developers/ |website=F-Droid |access-date=2025-08-29}}</ref>. Specific challenges include:
*F-Droid builds apps from source with its own signing keys, creating coordination requirements with upstream developers
*Community estimates suggest 85% of F-Droid apps could be "stuck in limbo" due to package ID conflicts
*Some developers announced via FreeDroidWarn that their apps "will no longer work on certified Android devices after that time"
 
==Consumer and user response==
Google's Q&A page for the announcement received lots of feedback<ref>{{Cite web |date=2025-08-25 |title=Q&A: New Android developer verification requirements |url=https://support.google.com/googleplay/android-developer/thread/361325854 |archive-url=https://web.archive.org/web/20250829100055/https://support.google.com/googleplay/android-developer/thread/361325854/%F0%9F%92%AC-q-a-new-android-developer-verification-requirements |archive-date=2025-08-29 |access-date=2025-08-29 |website=Play Console Help}}</ref>, including:
 
*Users highlighting the hypocrisy of enforcing security on sideloaded apps while Google Play distributes apps classified as scamware, malware, and adware
*Confusion over whether users would need to pay $25 to install apps on their own devices
*Concerns about offline device functionality (barcode scanners, kiosks) requiring internet connections for app signing verification
*Comparisons to Windows, where users noted: "I can install an app onto a Windows computer from any source without verification by Microsoft"<ref>{{Cite web |date=2025-08-26 |title=Google to restrict Android app sideloading to verified devs |url=https://www.theregister.com/2025/08/26/android_developer_verification_sideloading |website=The Register |access-date=2025-08-29}}</ref>
 
The Android community produced numerous critical videos<ref>{{Cite web |last=Mental Outlaw |date=2025-08-29 |title=Google is Locking Down Android |url=https://www.youtube.com/watch?v=L1S0SiBuJN8 |access-date=2025-08-29 |website=YouTube}}</ref><ref>{{Cite web |last=BrenTech |date=2025-08-26 |title=Google Will Soon Block Apps from Unverified Developers! Is This The End of Sideloading on Android? |url=https://www.youtube.com/watch?v=-nCgnXByGrY |access-date=2025-08-29 |website=YouTube}}</ref><ref>{{Cite web |last=TechLore |date=2025-08-27 |title=Android Is Becoming iOS: The End of Sideloading? |url=https://www.youtube.com/watch?v=PxGjwtiI8uM |access-date=2025-08-29 |website=YouTube}}</ref>, with titles like "Google is Locking Down Android" and "Android Is Becoming iOS: The End of Sideloading?"
 
==Industry and organizational response==
 
===Support===
The Developers Alliance stood as the sole organizational voice supporting the change, with co-founder Jake Ward stating it was "a critical step to ensure trust, accountability, and security across the Android ecosystem"<ref>{{Cite web |date=2025-08-26 |title=Developers Alliance Applauds Google's New Android Developer Verification |url=https://developersalliance.org/developers-alliance-applauds-googles-new-android-developer-verification/ |website=Developers Alliance |access-date=2025-08-29}}</ref>.
 
Government support emerged from initial rollout regions:
*Brazil's Federation of Banks called it a "significant advancement in protecting users"
*Indonesia's Ministry of Communications praised the "balanced approach that protects users while keeping Android open"
*Thailand's Ministry of Digital Economy described it as a "positive and proactive measure"<ref>{{Cite web |date=2025-08-25 |title=Google to Verify All Android Developers in 4 Countries to Block Malicious Apps |url=https://thehackernews.com/2025/08/google-to-verify-all-android-developers.html |website=The Hacker News |access-date=2025-08-29}}</ref>
 
===Criticism===
Technology publications characterized the change as fundamental to Android's nature:
*The Daily Security Review called it "a significant philosophical shift for Android, mirroring Apple's tightly curated ecosystem"
*It's FOSS warned "this could turn Google into the effective gatekeeper for all apps on 'certified' Android devices"<ref>{{Cite web |date=2025-08-29 |title=Android Security or Vendor Lock-In? Google's New Sideloading Rules Smell Fishy |url=https://news.itsfoss.com/new-android-sideloading-rules/ |website=It's FOSS |access-date=2025-08-29}}</ref>
*OSnews criticized it as "the death of our digital freedoms"
*Hackaday noted the timing "coincides with Google's court-mandated opening of Android following Epic Games' antitrust victory"<ref>{{Cite web |date=2025-08-26 |title=Google Will Require Developer Verification Even For Sideloading |url=https://hackaday.com/2025/08/26/google-will-require-developer-verification-even-for-sideloading/ |website=Hackaday |access-date=2025-08-29}}</ref>
 
==Impact on Specific Use Cases==
 
===Enterprise and MDM Deployments===
NomidMDM advised IT managers to "audit application inventory today" & make sure all line-of-business app developers complete verification before deadlines<ref>{{Cite web |title=The Core Change: Mandatory Verification for All Android Apps |url=https://www.nomidmdm.com/en/blog/the-core-change-mandatory-verification-for-all-android-apps |website=NomidMDM |access-date=2025-08-29}}</ref>. Affected deployments include:
*Wall-mounted displays
*Classroom broadcasting systems
*Shared device configurations
*Kiosk applications
*Industrial control systems
 
===Alternative app stores===
F-Droid faces serious challenges with the repository's build-from-source model conflicting with developer verification requirements. Alternative stores must make sure all hosted apps come from verified developers, effectively extending Google's verification to all distribution channels.
 
===Educational development===
Educational institutions face challenges as well:
*Student projects require individual verification for testing
*Sample code from textbooks becomes unusable without verification
*Classroom demonstrations need verified developer accounts
*Research projects face additional identity disclosure requirements
 
==Regulatory context==
The announcement arrives during active regulatory scrutiny of Google's platform practices:


==Introduction of Developer Verification==
===European Union===
On August 25th 2025, Google has released<ref>{{Cite web |date=2025-08-25 |title=Android developer console {{!}} Android developer verification {{!}} Android Developers |url=https://developer.android.com/developer-verification |url-status=live |archive-url=https://web.archive.org/web/20250825180832/https://developer.android.com/developer-verification |archive-date=2025-08-25 |access-date=2025-08-25}}</ref> a roadmap of a new requirement for application installations called the Developer Verification, which will require developers to register on the Android Developer Console, if they want their applications to be installable after the roll out of this system. When registering, the developers are offered a choice<ref>{{Cite web |date=2025-08-25 |title=Android developer verification {{!}} Android Developers |url=https://developer.android.com/developer-verification/guides/android-developer-console |url-status=live |archive-url=https://web.archive.org/web/20250825204008/https://developer.android.com/developer-verification/guides/android-developer-console |archive-date=2025-08-25 |access-date=2025-08-25}}</ref> between "Limited" and "Full" distribution types. The "Limited" distribution type is considered by Google to be best for "students, hobbyists, and other personal use", and is free to register, unlike the "Full" distribution type, which is considered to be suited for "organizations and professional developers with wide distribution". The "Limited" type is stated to have a "capped number of apps and installs", unlike the "Full" type. It is currently unclear whether or not the "Limited" type requires any kind of identity verification, as opposed to "Full", which requires full identity verification, as stated by Google.
The EU [[Digital Markets Act]] investigation issued preliminary findings against Google on March 19, 2025, for self-preferencing and payment system restrictions<ref>{{Cite web |date=2025-03-19 |title=Google Search, Play Store falling foul of Digital Markets Act rules, says EU |url=https://techcrunch.com/2025/03/19/google-search-play-store-falling-foul-of-digital-markets-act-rules-says-eu/ |website=TechCrunch |access-date=2025-08-29}}</ref>. Legal experts note potential conflicts with DMA provisions requiring gatekeepers to permit third-party software installation without the gatekeeper's identification services.


==Consumer response==
===United States===
Alongside the announcement, Google provided a Q&A page for existing developers to ask further questions<ref>{{Cite web |date=2025-08-25 |title=Q&A: New Android developer verification requirements |url=https://support.google.com/googleplay/android-developer/thread/361325854 |archive-url=https://web.archive.org/web/20250829100055/https://support.google.com/googleplay/android-developer/thread/361325854/%F0%9F%92%AC-q-a-new-android-developer-verification-requirements |archive-date=2025-08-29 |access-date=2025-08-29 |website=Play Console Help}}</ref>. There was a range of responses, some with practical questions about the implementation whereas others highlighting key flaws with the plans from both a consumer and developer perspective including:
The timing coincides with court-mandated changes following Epic Games' antitrust victory. The FTC outlined remedy concerns in an August 2024 amicus brief after the jury found Google illegally monopolized app distribution<ref>{{Cite web |date=2024-08-29 |title=FTC Outlines Remedy Concerns in Amicus Brief After Jury Finds Google Illegally Monopolized App Store |url=https://www.ftc.gov/news-events/news/press-releases/2024/08/ftc-outlines-remedy-concerns-amicus-brief-after-jury-finds-google-illegally-monopolized-app-store |website=Federal Trade Commission |access-date=2025-08-29}}</ref>.


*Android users highlighting the hypocrisy of enforcing security on side loaded apps (i.e. user installed apps not from the playstore) whilst they have observed Google's playstore distributing apps that could be classified as scamware, malware and adware.
===United Kingdom===
*The ambiguity of the announcement leading some to conclude you would have to pay a one time $25 fee to install apps on your own device.
The UK Competition and Markets Authority continues its Strategic Market Status investigation with consultation closing August 20, 2025<ref>{{Cite web |title=SMS investigation into Google's mobile platform |url=https://www.gov.uk/cma-cases/sms-investigation-into-googles-mobile-ecosystem |website=GOV.UK |access-date=2025-08-29}}</ref>, though no specific response to the verification requirements has been issued.
*Confusion over the requirement to register every package name before it can be installed leading some developers whom beta test multiple versions of the same app by using different package names with problems about how they will be able to resolve this issue.
*The confusion over 'development version' apps being installed over ADB (a USB android debugging interface) and how they would persist on device and whether they need full verification.
*The requirement of app signing thus potentially meaning installing apps requires an internet connection. This essentially bricks the functionality of devices that are intended to be used offline e.g. barcode scanners in supermarkets etc.


There has also been much kickback by the android community with a plethora of videos<ref>{{Cite web |last=Mental Outlaw |date=2025-08-29 |title=Google is Locking Down Android |url=https://www.youtube.com/watch?v=L1S0SiBuJN8 |access-date=2025-08-29 |website=YouTube}}</ref><ref>{{Cite web |last=BrenTech |date=2025-08-26 |title=Google Will Soon Block Apps from Unverified Developers! Is This The End of Sideloading on Android? |url=https://www.youtube.com/watch?v=-nCgnXByGrY |access-date=2025-08-29 |website=YouTube}}</ref><ref>{{Cite web |last=TechLore |date=2025-08-27 |title=Android Is Becoming iOS: The End of Sideloading? |url=https://www.youtube.com/watch?v=PxGjwtiI8uM |access-date=2025-08-29 |website=YouTube}}</ref> being published online, including Google's own platform YouTube, about the harms this will cause and the angry user sentiment.
==See also==
*[[Digital Markets Act]]
*[[Sideloading]]


==References==
==References==
Line 35: Line 158:


[[Category:Android]]
[[Category:Android]]
[[Category:Google]]
[[Category:Digital restrictions]]
[[Category:Privacy violations]]
[[Category:2025]]
Retrieved from "https://consumerrights.wiki/Android_Developer_Verification"