Android Developer Verification: Difference between revisions
Added:The vast majority of Android devices sold outside of China in the section Affected devices |
m link Google_Android_restrict_app_sideloading |
||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
On August 25th, 2025, [[Google]] announced an upcoming [[Google Android restrict app sideloading|application installation restriction]] on Google-certified [[Android]] devices, requiring '''all''' developers to register and verify their real-life identity through the Developer Verification program and be approved by Google before their apps can be installed on Android devices. This requirement extends to '''''all''''' installation methods including "[[sideloading]]", third-party app repositories like [[F-Droid]], and direct APK installations. Google stated that this change "keeps the ecosystem open".<ref>{{Cite web |last= |date=Aug 2025 |title=Elevating Android's security to keep it open and safe |url=https://developer.android.com/developer-verification |url-status=live |archive-url=https://web.archive.org/web/20250825180832/https://developer.android.com/developer-verification |archive-date=2025-08-25 |website=Android Developers}}</ref> | |||
On August 25th, 2025, [[Google]] announced an upcoming application installation restriction on Google-certified [[Android]] devices, requiring '''all''' developers to register and verify their real-life identity through the Developer Verification program and be approved by Google before their apps can be installed on Android devices. This requirement extends to '''''all''''' installation methods including "[[sideloading]]", third-party app repositories like [[F-Droid]], and direct APK installations. Google stated that this change "keeps the ecosystem open".<ref>{{Cite web |last= |date=Aug 2025 |title=Elevating Android's security to keep it open and safe |url=https://developer.android.com/developer-verification |url-status=live |archive-url=https://web.archive.org/web/20250825180832/https://developer.android.com/developer-verification |archive-date=2025-08-25 |website=Android Developers}}</ref> | |||
This is a giant shift from Android's traditionally open ecosystem and an abandonment of Android's founding principles. | This is a giant shift from Android's traditionally open ecosystem and an abandonment of Android's founding principles. It renders all existing APK files created throughout the years useless, and gives Google the ability to censor apps they dislike, such as those that can create permanent local backups of YouTube videos outside of Google's ecosystem with no data lock-in (a popular example being TubeMate), and lets them terminate developers out of spite for reasons unrelated to their apps (such as holding political views Google disagrees with), in addition to giving governments the ability to order Google to censor unwanted apps, similar to what already happened with Apple in China. | ||
It also prevents new Android applications from being developed offline with no Internet connection or Google account, given that every package name has to be registered in the developer console. This can prevent even verified developers from creating apps in countries where governments intermittently turn off Internet access, block access to Google services, or selectively block individuals from accessing the Internet. | It also prevents new Android applications from being developed offline with no Internet connection or Google account, given that every package name has to be registered in the developer console. This can prevent even verified developers from creating apps in countries where governments intermittently turn off Internet access, block access to Google services, or selectively block individuals from accessing the Internet. | ||
Individuals who lose access to their Google accounts (for example, as a result of losing an authentication factor) would no longer be able register new applications. | Individuals who lose access to their Google accounts (for example, as a result of losing an authentication factor) would no longer be able register new applications. Unlimited offline distribution can also become a thing of the past. Google can impose arbitrary installation quotas, meaning limit the number of installations, like they are planning to do with student accounts. In the future, Google can also stop accepting submissions for older Android versions altogether, forcing people to purchase new devices to run software that could technically run on their existing device. | ||
As with any Google service, there exists a possibility that it will shut down entirely, given that Google has a long history of launching and shutting down experimental services. | As with any Google service, there exists a possibility that it will shut down entirely, given that Google has a long history of launching and shutting down experimental services. If Google shut down the Android Developer Console, no one could develop new Android application anymore, for any device sold with this verification requirement built in. | ||
==Take action, make our voice heard== | ==Take action, make our voice heard== | ||
| Line 81: | Line 70: | ||
Preventing critical banking apps from functioning due to enabled state of developer mode also makes installing unverified applications unfeasible to many users which majorly affects the rapidly growing FOSS android community and forces developer verification as well as payment of verification fee to Google, only to operate under limitations Google grants. | Preventing critical banking apps from functioning due to enabled state of developer mode also makes installing unverified applications unfeasible to many users which majorly affects the rapidly growing FOSS android community and forces developer verification as well as payment of verification fee to Google, only to operate under limitations Google grants. | ||
On March 23, 2025, Matthew Forsythe, Director of Product Management for Developer Experience on Google Play at Google, answered a question from an Android user on X (formerly Twitter) regarding advanced flow on Android. Forsythe explained that it will be possible to disable developer node once advanced flow is enabled to use apps that don't work with developer Mode enabled, such as banking apps. | |||
However, at present, it's not yet clear whether it will actually be possible to use advanced flow with Developer Mode disabled, and we don't know if enabling advanced flow will affect critical apps like banking apps, which might not function properly if the Advanced Feed system is enabled. | |||
==Technical implementation== | ==Technical implementation== | ||
| Line 135: | Line 128: | ||
*Open source developers fear harassment and doxxing after forced identity disclosure | *Open source developers fear harassment and doxxing after forced identity disclosure | ||
*F-Droid mentions that play store verification is proven to be ineffective at combating malware due to repeated instances of malware distributed through play store<ref>{{Cite web |last=Arntz |first=Pieter |date=2025-09-17 |title=224 malicious apps removed from the Google Play Store after ad fraud campaign discovered |url=https://www.malwarebytes.com/blog/news/2025/09/224-malicious-apps-removed-from-the-google-play-store-after-ad-fraud-campaign-discovered |url-status=live |archive-url=https://web.archive.org/web/20251005173848/www.malwarebytes.com/blog/news/2025/09/224-malicious-apps-removed-from-the-google-play-store-after-ad-fraud-campaign-discovered |archive-date=2025-10-05 |website=malwarebytes}}</ref><ref>{{Cite web |last=Thompson |first=Lain |date=2025-08-26 |title=Malware-ridden apps made it into Google's Play Store, scored 19 million downloads |url=https://www.theregister.com/2025/08/26/apps_android_malware/ |url-status=live |archive-url=https://web.archive.org/web/20251005173850/www.theregister.com/2025/08/26/apps_android_malware/ |archive-date=2025-10-05 |website=The Register}}</ref> | *F-Droid mentions that play store verification is proven to be ineffective at combating malware due to repeated instances of malware distributed through play store<ref>{{Cite web |last=Arntz |first=Pieter |date=2025-09-17 |title=224 malicious apps removed from the Google Play Store after ad fraud campaign discovered |url=https://www.malwarebytes.com/blog/news/2025/09/224-malicious-apps-removed-from-the-google-play-store-after-ad-fraud-campaign-discovered |url-status=live |archive-url=https://web.archive.org/web/20251005173848/www.malwarebytes.com/blog/news/2025/09/224-malicious-apps-removed-from-the-google-play-store-after-ad-fraud-campaign-discovered |archive-date=2025-10-05 |website=malwarebytes}}</ref><ref>{{Cite web |last=Thompson |first=Lain |date=2025-08-26 |title=Malware-ridden apps made it into Google's Play Store, scored 19 million downloads |url=https://www.theregister.com/2025/08/26/apps_android_malware/ |url-status=live |archive-url=https://web.archive.org/web/20251005173850/www.theregister.com/2025/08/26/apps_android_malware/ |archive-date=2025-10-05 |website=The Register}}</ref> | ||
*Jean-Héon points out that mandatory developer registration puts users at risk by pushing them to use dangerous workarounds to install unverified APKs of their choice and also puts developers at risk by exposing them to data leaks and identity theft. Jean-Héon advocates for a solution based on the device's antivirus software. <ref>{{Cite web |title=Google restricts the installation of third-party APKs on Android: what this means for Jean-Héon™. (Updated March 21, 2026). |url=https://sites.google.com/view/jean-honmctm/communiqu%C3%A9press-releases/keep-android-open-english}}</ref> | *Jean-Héon points out that mandatory developer registration puts users at risk by pushing them to use dangerous workarounds to install unverified APKs of their choice and also puts developers at risk by exposing them to data leaks and identity theft. Jean-Héon advocates for a solution based on the device's antivirus software. <ref name=":1">{{Cite web |title=Google restricts the installation of third-party APKs on Android: what this means for Jean-Héon™. (Updated March 21, 2026). |url=https://sites.google.com/view/jean-honmctm/communiqu%C3%A9press-releases/keep-android-open-english}}</ref> | ||
===Open source community impact=== | ===Open source community impact=== | ||
| Line 177: | Line 170: | ||
*OSnews criticized it as "the death of our digital freedoms" | *OSnews criticized it as "the death of our digital freedoms" | ||
*Hackaday noted the timing "coincides with Google's court-mandated opening of Android following Epic Games' antitrust victory"<ref>{{Cite web |date=2025-08-26 |title=Google Will Require Developer Verification Even For Sideloading |url=https://hackaday.com/2025/08/26/google-will-require-developer-verification-even-for-sideloading/ |website=Hackaday |access-date=2025-08-29 |url-status=live |archive-url=http://web.archive.org/web/20260203082923/https://hackaday.com/2025/08/26/google-will-require-developer-verification-even-for-sideloading/ |archive-date=3 Feb 2026}}</ref> | *Hackaday noted the timing "coincides with Google's court-mandated opening of Android following Epic Games' antitrust victory"<ref>{{Cite web |date=2025-08-26 |title=Google Will Require Developer Verification Even For Sideloading |url=https://hackaday.com/2025/08/26/google-will-require-developer-verification-even-for-sideloading/ |website=Hackaday |access-date=2025-08-29 |url-status=live |archive-url=http://web.archive.org/web/20260203082923/https://hackaday.com/2025/08/26/google-will-require-developer-verification-even-for-sideloading/ |archive-date=3 Feb 2026}}</ref> | ||
*According to Jean-Héon “Android Developer Verification is an absurdity for the free mobile ecosystem.”<ref | *According to Jean-Héon “Android Developer Verification is an absurdity for the free mobile ecosystem.”<ref name=":1" /> | ||
==Impact on specific use cases== | ==Impact on specific use cases== | ||