Google has sparked debate within the Android ecosystem by announcing a significant change that directly affects the installation of apps from outside its official store. While the company insists that sideloading will not disappear, starting in 2026 it will require any application installed on a certified Android device to be linked to a developer with a verified identity. This decision, aimed at raising the bar for security, implies unambiguously identify who signs and distributes each APKeven if it comes from a website, a third-party store, or an alternative repository.
The measure will be implemented in phases and is not limited to Google Play: it also covers manual downloads and alternative app stores. Google explains that the goal is to make it harder for scammers to hide behind disposable accounts and reappear after a ban, strengthening traceability throughout the system. At the same time, the company emphasizes that Android will continue to allow installation from external sources. That said, the new requirement places Google at the center of identity verification, something that some in the open-source community find objectionable. This represents a shift towards a more controlled ecosystem..
What exactly changes with sideloading: mandatory verification beyond Google Play?
The core of the change is clear: for an app to be installed on a certified Android device (those that include Google services and access to Play), its developer must have undergone an identity verification process. This applies whether the app is on the Play Store or downloaded via sideloading. It's not a content audit, but rather a validation of who is behind it. Google compares it to identity checks at an airport: It's about who you are, not what you're carrying in your suitcase..
This additional layer aims to address a well-known pattern in mobile security: malicious groups that, after being banned, return with another account and a new APK. With verification, if an actor reoffends, Google can associate them with a specific identity and more effectively block that vector. For the average user, who primarily installs from the Play Store, the impact will be minor. The real difference will be felt in the area of ​​sideloading, in third-party app stores, and in enterprise environments with internal apps. The official message: sideloading continues, but with credentials.
What data is requested and what will the process be like?
Google will enable a new Android Developer Console for developers who distribute apps outside of the Play Store. Developers already using the Play Console will be able to add third-party app management without creating a separate account; those operating exclusively outside of the Play Store will need a new account. Registration will require personal and contact information (full legal name, address, email, and phone number), with verification via code and official documentation (e.g., passport or driver's license). The organization publishing the apps will need to provide company data and a global identifier, such as DUNS, in addition to validating your website.
Once identity is verified, the app must be linked to the legitimate owner: associate the package name, declare the SHA-256 public fingerprint of the signing key, and upload a signed APK that includes a specific verification file. For the vast majority, especially those who maintain a single key and a single package, the process will be relatively quick; Google says it takes minutes, not hours. The app's content is not reviewed at this stage.
There are exceptions designed for the community: students and hobby developers will have access to a free account type with less stringent requirements and without the usual $25 fee. In addition, Google has introduced a feature that allows distribution to a limited number of devices without full verification, by first registering the device identifiers in the console. It's an outlet for testing, hobbies, and very limited cases., although with clear limits.
Calendar and countries affected in the first phase
The rollout is phased in. Google has outlined a timeline that begins with early access for developers and culminates in strict enforcement by region. In the first countries—Brazil, Indonesia, Singapore, and Thailand—the requirement will be activated starting in September 2026; it will be extended to the rest of the world throughout 2027. In parallel, many organizations should plan for 2025 as a transition year: auditing their app portfolio, preparing documentation, and coordinating internal teams and vendors. Avoiding last-minute delays will be key to preventing critical installations or updates from being blocked..
Various adoption guides recommend a milestone-based plan: auditing and communication now and during the first half of 2025; completing account verifications in the second half of 2025; and having the ecosystem ready by 2026. Although the specific dates for each phase can be adjusted, the pattern is clear: Those who enter the process early will reduce operational risks. when Android starts blocking installations from unverified developers.
Is sideloading disappearing? What Google really says
Google has repeatedly emphasized that sideloading is part of Android's identity and will not be removed. Sameer Samat, head of Android, has stressed that the intention is to protect, not restrict, freedom of choice. In other words, Installation from external sources will still be possibleHowever, the system will require that the person signing the app be identified, except in the special cases mentioned.
For small developers and students, the new free account with limited distribution offers a reasonable way to share builds with testers or a small community without undergoing full corporate verification. However, there is a frictional step: the user will have to share their device identifier with the developer for registration before installation. You gain control; you lose spontaneity in the exchange of APKs between strangers.
Impact on companies: more control, less risk, and a key role for MDM
For enterprise environments, the change reinforces strategies already recommended with Android Enterprise: whitelisting, managed Google Play, blocking unknown sources, and distribution from a mobility management (MDM) console. With extended identity verification, Every public app on Play comes from a traceable developerThis adds a layer of trust to the selection process that IT teams already perform.
In the realm of private apps (LOB), the effect is even greater: the developer account used to publish the internal app to the Play Console for the organization will now need to be verified. Previously, private publishing could be linked to an account with minimal information; now, Responsibility is associated with the actual legal entity that signs the code.If the verification expires, updates may fail, so operational hygiene (renewals, up-to-date data) becomes essential.
Regarding sideloading within the company, the new framework discourages anonymous installations. Google maintains that devices are exposed to malware tens of times more from external sources than from the Play Store—it's been reported that Play Store apps contain more than 50 times less malware, and other reports cite over 95% of threats originating from the alternative channel. Regardless of nuances, the direction is clear: Block app downloads on Android and use only managed catalogs It remains the recommended policy.
Google itself, through Suzanne Frey (VP of Product, Trust, and Growth for Android), has explained that verifying developers increases accountability and makes it harder for a banned malicious actor to reappear the next day with a different identity. In other words, it creates a strong link between code and entity, preventing any attempts at recurrence. Less anonymity means less surface area for fraud.
Open ecosystem concerns: F-Droid and centralization
The downside of the announcement has come from the FOSS community. Projects like F-Droid have warned that if Google becomes the authority that validates identities and controls the link between signing keys and package names, it will undermine the independence of community repositories. They argue that the obligation to register real identities and keys with Google... It positions the company as the de facto guardian. also outside of Play.
F-Droid has been particularly explicit in assessing the potential impact: they fear the new system will render their current open and community-auditable distribution model unviable. They also point to a practical risk: if Google revokes a registration, an app could be effectively banned from circulation on certified devices, even if it doesn't violate Play policies, which It adds a very powerful control lever..
Beyond F-Droid, many independent developers are reluctant to share personal documentation, physical addresses, or "corporate-style" verification processes to release small utilities or experimental tools. This additional barrier could lead to the disappearance or reduction of some software currently available outside the Play Store. limiting the diversity that characterized Android.
Will it really be safer? Criticism of the "false sense of security"
The security argument is compelling, but it's not without its nuances. Recent investigations have shown how malicious apps have managed to slip through the net on the Play Store despite filters and verifications. Bitdefender, for example, detected hundreds of apps involved in ad fraud and phishing—more than 300—with tens of millions of downloads, using advanced techniques to hide themselves, bypass Android 13 restrictions, and even steal credentials and card data posing as legitimate utilities.
Given this precedent, some in the community fear that external verification could create a dangerous psychological effect: that users might assume any "verified" APK is harmless and let their guard down. If users interpret the verification label as a guarantee of complete safety, they might install apps less cautiously from sources they previously considered dubious. Identity does not replace behavioral analysis, sandboxing, or common sense.
Special rules, particular cases and the AdGuard example
There is an intermediate area that will continue to force apps to move outside of the Play Store for reasons of store policy, not legality. The case of AdGuard is illustrative: its network-level ad blocker cannot be on the Play Store due to Google's rules, so it is distributed from its website and in alternative stores. The app's team has assured that it will take the necessary steps to comply with the new verification and remain available for Android userswhatever the source.
Other alternative stores have met with varying fates: some have operated for years as parallel repositories; others have recently announced closures. Under the new framework, maintaining an independent store will require highly refined governance of identities, signatures, and compliance, and will still depend on the system's installation rules. Scale and resources will make the difference between surviving or not in this more demanding environment.
Legal implications: the EU's scrutiny and cases in the US.
Android's shift comes at a sensitive regulatory time. In the European Union, the Digital Markets Act requires users to be able to install apps from alternative sources without artificial barriers. If verification requirements are perceived as a de facto obstacle to sideloading, It wouldn't be surprising to see scrutiny or legal challenges. to force proportionate adjustments. In the United States, Google already faces antitrust litigation related to app distribution; adding stricter identity controls could fuel the debate about the concentration of power in the ecosystem.
The balance struck between security, free competition, and the user's right to choose will be crucial. Google faces a twofold risk: being seen as lukewarm if it doesn't sufficiently curb fraud, or as overly restrictive if it stifles diversity. The margin for maneuver will depend on the fine design of the implementation and how it is accompanied by transparency and guarantees.
What changes for the average user with sideloading?
For those who only use the Play Store, the change will be almost invisible: many developer accounts were already verified in 2023, and the store will reuse that information for the new global registration. Where there will be differences is in the alternative sector: some small projects might choose not to undergo verification and withdraw; others will consolidate their presence. On a practical level, Installing from unofficial websites or repositories will require more steps or it simply won't be possible if the developer is not registered.
Everyday experience can also be affected by small details: if you're part of a beta testing group for a niche app, you might have to send your device identifier to the developer to enable installation with the limited free account. All of this adds friction, but it reduces anonymity in the distribution chain. Less spontaneous, more traceable.
What should development and IT teams be preparing now?
If you develop or manage apps, the sooner you get organized, the better. Take inventory of everything you have in production and testing, note who signs each package and with what key, check if you use multiple keys and package names, and confirm which developer accounts publish your apps on the Play Store or elsewhere. Business continuity depends on not stumbling on the critical date.
Coordinate with external vendors and contractors to ensure your developer account will pass validation, verify that you have business identifiers (such as DUNS), addresses, and legal documentation readily available, and update procedures for timely credential renewal. In companies using MDM, adjust policies: closed app whitelisting, blocking of unknown sources, and mandatory use of Managed Google Play. The default policy should be "verified software only"..
Official Android voice: sideloading is part of the platform's DNA and isn't going away; the change aims to protect users and developers, not curtail their ability to choose. Even so, Identity verification will be the new access pass to certified Android devices.
Alongside the technical preparations, it's important to clearly communicate the reasons for and limitations of the change. Verified identity doesn't work miracles: security analyses, secure development practices, permission reviews, and behavioral monitoring must be maintained. But it does increase the cost of operating in the shadows, and that's already a significant step. Safety is not a one-time act: it is an ongoing process.
Android faces a delicate transformation: if the goal is to curb malware's impunity without sacrificing the freedom that has always distinguished it from other systems, success will depend on implementation and safeguards for the open ecosystem. Between the promise of fewer scams and the fear of centralization, Reality will be a necessarily uncomfortable middle ground. in which users, companies and developers will have to adapt thoughtfully and with time. Share this information so more users will know about Google sideloading.