Android users have two main options to install apps on their devices. Through Google Play, if the marketplace for apps is installed, or through sideloading. Up until now, releasing apps through Google Play required a verified developer account. This meant that the developer had to verify their identity before apps could be published.
Starting in 2026, developers who do not publish their apps through Google Play will also be required to verify their identity, if they want their apps to be installed on certified Android devices. A certified Android device, in a nutshell is any device with installed Google services.
Google says that it won’t check apps that are registered through the new program but not made available through Google Play. However, developers are required to use a new special Android Developer Console for sideloading.
Furthermore, the verification process requires that developers provide Google with personal information, including their name, address, email, and phone number, and verification of their identity, for instance by providing Google with documentation that confirms the identity.
Google plans to invite select developers of applications from October 2025 onward and enable free registrations from March 2026 on.
The sideloading of apps by unverified developers will be blocked in the countries Brazil, Indonesia, Singapore, and Thailand from September 2026 on. More countries are added to the list starting in 2027.
Google claims that the new process is designed to “better protect users from repeat bad actors”, as it will make it harder for malware actors to quickly release new malicious apps after Google has taken down an app from a developer.
The change will make it difficult for malware creators, as they need a certificate to distribute their malicious apps outside of Google Play. However, it is also giving Google access to additional data and ends the anonymous development and distribution of apps.
Now You: what is your take on this? Good decision by Google to stop malware and threat actors in their tracks, or a move to gain access to even more data and control?
That’s a problem. I use mostly sideloaded apps. I bet most of them are not registered.
Doesn’t this sound like the actions of a monopolist?
I note that the countries listed have not taken Google to court for monopolistic activity…
It is highly likely this will not be a requirement in the countries where Google have been accused of monopolistic activity…
A move to gain access to even more data and control.
Most of the repeat bad actors distribute their apps through the play store. Google isn’t going to prevent that malware by looking elsewhere.
So does this mean F-Droid will go down the tubes? I get most of my apps from there and only official ones like DigiD (mandatory in the Netherlands) from Google Play.
Is this supposed to make us all feel safer? How are they going to do that when a substantial number of malware infiltrates its way into the Play Store all the time: https://www.bitdefender.com/en-us/blog/labs/malicious-google-play-apps-bypassed-android-security