Google Details New 24-Hour Process To Sideload Unverified Android Apps (arstechnica.com)
- Reference: 0181050464
- News link: https://developers.slashdot.org/story/26/03/19/1832217/google-details-new-24-hour-process-to-sideload-unverified-android-apps
- Source link: https://arstechnica.com/gadgets/2026/03/google-details-new-24-hour-process-to-sideload-unverified-android-apps/
> Google is planning big changes for Android in 2026 aimed at combating malware across the entire device ecosystem. Starting in September, Google will begin [1]restricting application sideloading with its developer verification program, but not everyone is on board. Android Ecosystem President Sameer Samat tells Ars that the company has been listening to feedback, and the result is the newly unveiled advanced flow, which [2]will allow power users to skip app verification . With its new limits on sideloading, Android phones will only install apps that come from verified developers. To verify, devs releasing apps outside of Google Play will have to provide identification, upload a copy of their signing keys, and pay a $25 fee. It all seems rather onerous for people who just want to make apps without Google's intervention.
>
> Apps that come from unverified developers won't be installable on Android phones -- unless you use the [3]new advanced flow , which will be buried in the developer settings. When sideloading apps today, Android phones alert the user to the "unknown sources" toggle in the settings, and there's a flow to help you turn it on. The verification bypass is different and will not be revealed to users. You have to know where this is and proactively turn it on yourself, and it's not a quick process. [...] The actual legwork to activate this feature only takes a few seconds, but the 24-hour countdown makes it something you cannot do spur of the moment.
>
> But why 24 hours? According to Samat, this is designed to combat the rising use of high-pressure social engineering attacks, in which the scammer convinces the victim they have to install an app immediately to avoid severe consequences. "In that 24-hour period, we think it becomes much harder for attackers to persist their attack," said Samat. "In that time, you can probably find out that your loved one isn't really being held in jail or that your bank account isn't really under attack." But for people who are sure they don't want Google's verification system to get in the way of sideloading any old APK they come across, they don't have to wait until they encounter an unverified app to get started. You only have to select the "indefinitely" option once on a phone, and you can turn dev options off again afterward.
"For a lot of people in the world, their phone is their only computer, and it stores some of their most private information," Samat said. "Over the years, we've evolved the platform to keep it open while also keeping it safe. And I want to emphasize, if the platform isn't safe, people aren't going to use it, and that's a lose-lose situation for everyone, including developers."
[1] https://tech.slashdot.org/story/25/08/25/1716213/google-to-require-identity-verification-for-all-android-app-developers-by-2027
[2] https://arstechnica.com/gadgets/2026/03/google-details-new-24-hour-process-to-sideload-unverified-android-apps/
[3] https://android-developers.googleblog.com/2026/03/android-developer-verification.html?m=1
It's just pure bullsh]it (Score:3)
Seems like a good way for people to try to install an alternative store and then forget about it. 24-hours is insanely long in modern-attention-span/Internet time. Someone might start to install F-droid and NEVER finish.
It also means that it could take 24 hours after I buy a new phone to de-google it and make it usable if it applies even after an OEM unlock and flashing to LineageOS (which hopefully it won't, but who knows at this point). Adding scare tactics like this is just another way to lock people in, making your device owned by Google and not you. It's an entire world full of computer illiterate people that have allowed this insane market (started by Apple) of personal devices that you buy that you literally don't have admin access on. Imagine Microsoft trying to do that with Windows NT4? You have to go into BIOS, disable some stuff, then copy an OEM unlock key to a floppy, then do x/y/z, before you're allowed to create an Administrator account? Without it you can only load CDs that have Microsoft verified signatures on them?
Re: (Score:1)
assuming once you enable it ti stays on thats not to bad relly,.
Re: (Score:3)
Most people will only want to install one appstore and then use it. Now assume they want an epic store and need to wait 24 hours. Maybe they have forgotten about the apk for the story afterward. App(store) distributors are convincing users "right now" and Google makes them wait 24 hours. That ruins the marketing of the competition, who was happy to get the users attention right now and know that they won't get it again that soon.
Re: (Score:2)
> Seems like a good way for people to try to install an alternative store and then forget about it. 24-hours is insanely long in modern-attention-span/Internet time. Someone might start to install F-droid and NEVER finish.
Most people who want to install F-droid will just toggle this when they take delivery of their new phone and be done.
Re: (Score:2)
"You will own nothing and be happy."
Re: (Score:2)
> "You will own nothing and be happy. "
I like an optimist.
Re: (Score:2)
> Seems like a good way for people to try to install an alternative store and then forget about it. 24-hours is insanely long in modern-attention-span/Internet time. Someone might start to install F-droid and NEVER finish.
No one starts installing an entire app store and forgets to finish. I would understand if you were talking about an individual app sure, but not an entire store.
> It also means that it could take 24 hours after I buy a new phone to de-google it and make it usable if it applies even after an OEM unlock and flashing to LineageOS
Nitpick: It doesn't take 24 hours to degoogle it, it takes 24 hours to do something non-google with it. LineageOS is already de-googled.
Hmmm.... (Score:2)
Depending on how it's implemented...
1. Set the clock back by a few days
2. Toggle the setting
3. Set the clock correctly
I wonder if that will work?
Re: (Score:2)
I am surprised we are still allowed to change the clock.
Re: (Score:2)
If we truly cared about privacy, the clock would always be 12:00 (and flashing)
Re: (Score:3)
That's "all they are doing" after quite the backlash from users, so it isn't really all they were planning to do.
Re: (Score:2, Troll)
Imagine you are traveling, and you have your itinerary saved in a note taking app that isn't on the appstore. You are at the beach and drop your phone in the ocean. "No problem" you think to yourself as you go buy a burner phone. And then you try to set up your notes app to get your hotel's address. You are now stranded for 24 hours in a bestbuy parking lot.
Re: seems fine (Score:1)
That does suck, looks like you will have to store it in an app you can get from the play store.
Re: (Score:3)
A) your credit card was probably stored in your phone anyway, so you can't buy a burner phone B) An unverified backup solution doesn't exist. If you had tried a disaster recovery exercise whilst at home, you would have already realized that you need to pre-install all your apps on your recovery phone.
And yes, the normal consumer now has to have corporate level IT to be able to survive in the world reliably. How they achieve that I have no idea.
Will only stop legit users (Score:3)
So any scammer will just use some stolen keys or id & creditcard info and gets easy access to your phone, and legit users will have to jump through stupid hoops including a 24 hour wait period.
They haven't added a single worthwhile feature to android in 5 years and yet their enshittification programme is working fine.
If you are worried about security ... (Score:1)
... you probably would not let Google near your phone!
Not a bad compromise (Score:1)
Scammers are a huge issue. A 24 delay is reasonable. Most people don't sideload anything. This will only affect some power users. Even power users get scammed. I have GrapheneOS, so I doubt it will affect me.
Re: (Score:2)
When you last enabled sideloading you should already have gotten huge warnings "Someone may want to scam you". Do users really need a babysitter that enforces wait time, when they could just read the warnings? Allow people some responsibility for themselves.
Re: (Score:2)
It'll potentially affect in-house mobile software negatively, using Google's enterprise software management is already pretty rough
Andoid's Cesspool Not Related to Sideloading (Score:5, Insightful)
Android is a cesspool because they do not care if vendors make unrealistic personal information demands. I think that comparatively, few people side-load, so Android is trying to scapegoat side loading for their ecosystem problems.
Re: (Score:2)
Parts of android are a cesspool sure.
For someone like me, it isn't. Real Firefox, with no script, unlock and privacy Badger, plus a nice selection of F/OSS apps on F-Froid make it the least cesspooly system. Oh and I get a fucking terminal and vi.
Why would I want a pocket computer without an interface that Adonai (blessed be he) intended?
Re: (Score:2)
I see no difference between Android and iOS for the same set of apps. People want what people want, and companies who like to rape privacy will rape privacy. Pretending this is an Android thing is stupid.
Play Store allows apps with same name (Score:5, Insightful)
To this day, the Play Store allows anyone to publish an app with the exact same name as an already existing one. Google doesn't give a fuck about security, this is about control.
What about the SafetyNet? (Score:2)
Would phones that bypassed verification and/or installed unverified apps still pass bank-app-level checks?
Shaw's principle (Score:2)
Build a system that even a fool can use, and only a fool will want to use it.
1984 was an instruction manual after all (Score:3)
The phrase "sideload" is psychological propaganda we are all best off rejecting. There is nothing "side" about loading software you choose to use onto your own device.
Aggression is unsurprisingly always justified in terms of safety. Android permission system is intentionally engineered to own users by enabling the very same victimization they now claim they care about preventing.
Android could for example trivially allow users to deny access to networks, location, contacts or reveal identifiers like IMEI without an applications knowledge rather than present day take it or leave it demands. The fact these things are not possible without root speaks to Google's actual intent and priorities. People are needlessly being spied on and spammed enmasse because Google selfishly cares more about its interests than it does the interests of users.
When it is in Google's interest to add even more hoops for users to jump through to make it harder to install software on their own devices from competing sources then and only then do they pretend to care in order to justify unnecessary fuckery as a security feature.
Google Play services is itself offensive malware and the Google app store is a race to the bottom ecosystem that actively encourages the production and distribution of malware. F-droid is infinitely more secure than anything Google has to offer.
I hope this finally starts to crack the growing disease that is software dependencies on Google play services and more vendors start offering Google free phones by default.
What about F-droid and the like (Score:3, Interesting)
Can you authorize an 3rd party app repository to install APKs from there, but prevent random stuff downloaded from the Internet?
Overall, I like this approach, and maybe *slightly* more idiot-proofed than the current one where you can just install anything after one prompt. But I'd like the possibility to allow permissions for a trusted source to install additional ones and have the 24-hour counter for other stuff.
Re: (Score:1, Informative)
it sounds like all there doing is adding a 24 hr timer to the allow 3rd party apps option.
Re: (Score:1)
That's what I thought as well.
Re: What about F-droid and the like (Score:2)
Yes. But the vast majority of people being scammed won't have it turned on, so when the scammer talks them through the process, there'll be a 24-hour wait. Scammy McScammer isn't going to wait 24 hours for "YOU NEED TO INSTALL THIS NOW!!!!" scam.
Re: (Score:3)
You can be totally scammed with apps downloaded from Google Play store.
Re: (Score:2)
Similar concerns here, both for F-droid apps and DJI's - which require installing from an APK downloaded directly from DJI to get the latest version. I only have a handful of apps I sideload, and when I'm not updating those I tend to have the ability to sideload turned off for the modicum of additional security afforded against inadvertant user error. If I either need to go through this 24-hour process every time I update the apps, or leave sideloading permanantly enabled (which I'd be more likely to do,
Re: (Score:2)
> If I wanted a walled garden, I'd have bought an iPhone.
At this juncture I'm thinking the same. At some point I'll absolutely have to replace my ancient Samsung A520. If I can't put together an Android-based phone with a LineageOS version that allows immediate installation of any apk file I choose, from any source, then I might as well go with Apple.
But if it comes to that, I may get a cheap feature-phone for phone calls and texts, and a Pinephone or something similar as a pocket computer for web browsing and mail.
I really can't stand any iOS UI I've played with
Re: (Score:2)
> If I either need to go through this 24-hour process every time I update the apps, or leave sideloading permanently enabled...
Google says the 24 wait is "one-time only": [1]https://blogger.googleusercont... [googleusercontent.com]
However, the next step in the flow is to allow unregistered apps to install for the "next seven days" or "indefinitely". So what does one do if they select "seven days" and two weeks later they want to install something? Presumably there won't be a 24-hour wait because Google says that's a "one-time" thing. But the user also chose to allow the installations for only seven days. So which is it? And if the user selected "seven days"
[1] https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2qzrN3la1xfuFPvwKStg8R76u58AZnJ4OoDwO-87e0lPMQKBvNrK8mCePsc-NztvxPG0dkbvAS0XUllxofkeq0EgQu839z8r_8Bip07wL81sQyxwawTqPc2qMFuHiAIupMi8xLsTpXnDZdrmgccr8RyiD1w51Ruc1UXCPHeOzXjpnA-4QoO0xGMopQk/s16000/Blog%20Post_Static_v2b.png
Re: What about F-droid and the like (Score:2)
It's a massive shift from what they said before, I take it to mean their lawyers convinced them it was going to be cheaper not to cut it off. Plus this way they get to mock Apple about it still.
Re: (Score:2, Interesting)
> Can you authorize an 3rd party app repository to install APKs from there, but prevent random stuff downloaded from the Internet?
> To verify, devs releasing apps outside of Google Play will have to provide identification, upload a copy of their signing keys, and pay a $25 fee. It all seems rather onerous for people who just want to make apps without Google's intervention.
That's the other case. Or to put it more simply "no". Google will treat an app installed from F-Droid like an app that's side loaded. If it's verified then fine - no problem. If it isn't verified then it won't install.
This basically forces F-Droid to mostly carry veri
Re: What about F-droid and the like (Score:3)
No, it doesn't. It requires you to turn on side loading in the developer settings and wait 24 hours. This is in TFS.
Re: (Score:2)
If you don't have that turned on (because you are a normal user) and you install a verified F-Droid app, then the F-Droid app should be able to install verified apps without you having to either work out how to turn on developer actions or wait 24 hours.