Jump to content

Google blocking sideloading of unverified Android apps: Difference between revisions

From Consumer Rights Wiki
← Older editNewer edit →
VisualWikitext
SciaIsHere (talk | contribs)
confirmed
5 edits
Edit header format.
SciaIsHere (talk | contribs)
confirmed
5 edits
Added 'Incidents' category to page
Line 34: Line 34:
==References==
==References==
<references />
<references />
[[Category:Incidents]]

Revision as of 22:18, 26 August 2025

On August 25, 2025, Google announced that starting in 2026 it will block the installation of Android apps from outside the Play Store unless the developer has verified their identity with Google. The policy will first roll out in Brazil, Indonesia, Singapore, and Thailand in September 2026, with global enforcement targeted for 2027 [1][2]. This marks a significant change to Android’s long-standing support for sideloading apps and has sparked debate among developers, consumers, and digital rights advocates [3][4].

Background

Android has historically allowed sideloading, which is installation of apps from outside the official Play Store. They usually allow this only if users enabled “unknown sources” in their device settings. This openness distinguished Android from Apple’s iOS, which restricts app installs to its App Store. Alternative app stores such as F-Droid and Amazon’s Appstore, as well as direct downloads from sites like APKMirror, thrived under this model [5].

Over time, Google introduced restrictions in the name of security. In 2023, it began requiring Play Store developers to verify their identities, which Google said reduced impersonation and malware [1]. Android 13 and Android 15 further limited what sideloaded apps could do, blocking access to sensitive permissions for apps not installed through official channels [6]. These steps laid the groundwork for Google’s new, broader enforcement.

Timeline

On August 25, 2025, Google announced that apps can only be installed on certified Android devices if their developers have verified their identity with Google [1]. Developers must register through a new Android Developer Console, pay a one-time $25 fee (except for hobbyists or students, who will have a separate free path), and provide identifying details such as legal name, address, and government-issued ID [2][3]. Apps must also be registered with their signing keys to prove ownership [3].

The rollout will proceed in stages:

  • October 2025: Early access program for select developers.
  • March 2026: Verification opens for all developers worldwide.
  • September 2026: Enforcement begins in Brazil, Indonesia, Singapore, and Thailand [1].
  • 2027: Targeted global rollout, eventually covering nearly all certified Android devices [1][2].

The new system applies to certified Android devices; phones and tablets that ship with Google Mobile Services (e.g., Pixel, Samsung, Xiaomi). Devices running uncertified AOSP builds or custom ROMs (e.g., GrapheneOS, LineageOS) are not subject to this restriction [3]. However, uncertified devices often face app compatibility issues due to SafetyNet/Play Integrity checks [3].

Google's response

Google framed the change as a necessary security measure to reduce malware, fraud, and impersonation. The company stated that malware is 50× more common outside the Play Store and that anonymity allows bad actors to evade accountability [1][3]. Suzanne Frey, VP of Product for Android, likened the change to an ID check at the airport: verifying who the developer is without inspecting app content [1].

Google emphasized that it will not review or police apps distributed outside the Play Store for content, only verify developer identities [1][2]. It highlighted support from industry and institutions, including the Developers Alliance, Brazil’s banking federation FEBRABAN, and Indonesia’s Ministry of Communication and Informatics, all of which praised the move as protecting users from fraud [1][2].

Consumer response

The announcement sparked backlash in online communities. On Reddit, users called the change “complete bullshit” and accused Google of gradually eroding Android’s openness [7]. Many argued that Android is becoming indistinguishable from iOS, with some stating they might switch to Apple or Linux since Android’s openness was its key advantage [7].

Independent developers raised concerns that hobby projects or sensitive apps (e.g., protest tools, ad-blockers) would be stifled, as not all creators are willing to submit government IDs to Google [8][9]. Open-source communities, including GrapheneOS developers, argued this would discourage FOSS development and give Google exclusive control over Android’s ecosystem [9].

Conversely, some security experts and industry groups welcomed the move, calling it a reasonable compromise that still allows third-party distribution while deterring anonymous malware authors [1][3]. Critics countered that determined attackers could still exploit stolen IDs, and that this introduces a “choke point” giving Google leverage over all app installs [4].

Regulators had not formally responded within the first 24 hours, but commentators noted that the change resembles Apple’s Developer ID system on macOS and may be Google’s way of tightening control while remaining compliant with the EU’s Digital Markets Act [6][9].

References

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 Frey, Suzanne (25 Aug 2025). "A new layer of security for certified Android devices". Android Developers Blog. Retrieved 25 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
  2. 2.0 2.1 2.2 2.3 2.4 Perez, Sarah (25 Aug 2025). "Google will require developer verification for Android apps outside the Play Store". TechCrunch. Retrieved 25 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
  3. 3.0 3.1 3.2 3.3 3.4 3.5 3.6 Anderson, Tim (26 Aug 2025). "Google kneecaps indie Android devs, forces them to register". The Register. Retrieved 26 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
  4. 4.0 4.1 "Google will block sideloading of unverified Android apps starting next year". BleepingComputer. 26 Aug 2025. Retrieved 26 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
  5. Thomas, Dallas (14 Sep 2024). "The Wild West days of sideloading on Android are officially over in this week's news". Android Police. Retrieved 25 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
  6. 6.0 6.1 Rahman, Mishaal (25 Aug 2025). "Google wants to make sideloading Android apps safer by verifying developers' identities". Android Authority. Retrieved 26 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
  7. 7.0 7.1 "Google will block sideloading of unverified Android apps starting next year". Reddit. 26 Aug 2025. Retrieved 26 Aug 2025.
  8. "Google will allow only apps from verified developers to be installed on Android". Hacker News. 25 Aug 2025. Retrieved 26 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
  9. 9.0 9.1 9.2 "Google wants to verify all app developers' identities". GrapheneOS Discussion Forum. 26 Aug 2025. Retrieved 26 Aug 2025.{{cite web}}: CS1 maint: url-status (link)
Retrieved from "https://consumerrights.wiki/index.php?title=Google_blocking_sideloading_of_unverified_Android_apps&oldid=22348"