Google: Unverified apps soon via sideloading for experienced users

On August 25th, Google communicated that from autumn 2026, only applications whose publishers have previously registered with Google and signed the respective application will be allowed to be installed on certified Android devices, including sideloading. The company continues to pursue this strategy despite criticism, but Google is now working on a solution that allows “experienced users” to install unverified apps.

Sideloading for Power Users

On Wednesday, November 12, 2025, Google announced that it would invite developers to an early access program for developer verification in the Android Developer Console who distribute their apps exclusively outside the Play Store. In a further step, the company also intends to send invitations to the Play Console for Play developers, according to Google. Verification will be available to all developers from March 2026.

In this context, Google also explained that it is developing a “new, advanced flow” that will enable experienced users to “accept the risks of installing unverified software.” This solution is intended for developers and power users.

The company is developing this installation flow to “counteract coercion and ensure that users are not misled by the pressure of a scammer into bypassing these security checks.” The installation process will also include clear warning messages “to ensure that users fully understand the associated risks,” with the decision to install ultimately resting with them. Google is currently gathering initial feedback on the feature's design and plans to announce further details in the coming months.

Why Verification is Important from Google's Perspective

In the blog post on Google's Android Developers Blog, Matthew Forsythe, Director of Product Management for Android App Safety, explains why the company considers developer verification important for protecting Android users.

Online fraud and malware campaigns are becoming increasingly aggressive, which on a global scale means “real harm to people around the world” from Android. This particularly affects regions that are “undergoing rapid digitalization and where many people are going online for the first time.” While technical security measures are important, they cannot solve every scenario where a user is manipulated. Because “scammers use aggressive social engineering tactics to trick users into bypassing the very warnings designed to protect them,” according to Google.

As an example, Forsythe mentions a common attack that Google has observed in Southeast Asia: “A scammer calls their victim and claims their bank account has been compromised. Using fear and urgency, they pressure the victim to install a 'verification app' to secure their money.” The scammers then instruct the victims to ignore the usual security warnings. After installation, the app—which is malware—intercepts the victim's notifications, Forsythe explains. “When the user logs into their real banking app, the malware captures their two-factor authentication codes, giving the scammer everything they need to plunder the account.”

While Google has advanced security measures and safeguards to detect and remove malicious apps, without verification, malicious actors can immediately develop new malicious apps. “This becomes an endless game of whack-a-mole,” says the Googler. By requiring developers to disclose their identity, it should become more difficult for malicious actors to repeatedly offer new malicious apps. How effective this approach will ultimately be in practice remains to be seen.

(afl)