Google is moving ahead with plans that will change how apps get onto Android phones in key markets. The company detailed fresh timelines and technical steps yesterday in a blog post that signals the end of easy sideloading for many users on certified devices.
Beginning September 30, 2026, apps installed from seven major stores in Brazil, Indonesia, Singapore and Thailand must come from developers who have verified their identities with Google. The stores include Google Play, Samsung’s Galaxy Store, Xiaomi’s GetApps, and offerings from Honor, OPPO, Transsion and vivo. Android Developers Blog laid out the schedule. Enforcement spreads worldwide in 2027.
Millions of apps already carry registration. Nearly all installs on Google Play and a large majority from outside it now link to verified accounts. Matthew Forsythe, director of product management for Android app safety, wrote that the effort aims to stop malicious actors from hiding behind anonymity to release harmful apps. “This rollout is an industry-wide effort to create a safer ecosystem,” he said.
The change builds on last year’s announcement. It requires developers to submit government identification or organizational details in most cases. A $25 fee often applies for full distribution accounts. Students and hobbyists gain an alternative. Limited distribution accounts, opening for early access in July and fully in August, let them share apps with up to 20 devices without ID or payment. The Ars Technica report from today notes this accommodation responds to community feedback.
Yet the core restriction lands hard on open-source projects and alternative stores. F-Droid previously called the plan an existential threat. An open letter from dozens of organizations warned it could lock down the platform that once promised freedom. Even with workarounds, the friction grows.
Google answered some complaints in March by introducing an advanced flow for power users. That option arrives in August. Users must dig into a buried menu, acknowledge risks multiple times, endure a 24-hour wait, restart the device and reauthenticate with biometrics or PIN. Only then can they install from unverified developers. The process also resists coercion scams. “You’ll have to navigate to a buried menu, confirm you understand the risks multiple times, and wait a whole day before completing the process,” Ars Technica described it. Adb sideloading remains available but targets advanced users too.
A new system service called Android Developer Verifier rolls out this month. It installs automatically on most devices running Android 8 and higher. The service stays dormant until enforcement hits a region. Then it checks registration status for every install attempt. 9to5Google covered the auto-install detail in its coverage published today alongside the Google update.
Two new APIs should ease the burden for professional developers. The Android Developer ID Status API lets teams query whether a package name is already registered. The Android Developer Console API supports bulk registration and management directly from CI/CD pipelines. Both accept OAuth delegation so third-party stores can handle the work. Google starts the ID Status API in July with early access for the Console API. Full availability comes in August.
These tools arrived after developer requests. Forsythe highlighted appreciation for feedback from industry leaders and communities that shaped the final design. Adoption figures suggest many developers already accepted the shift. Over 99 percent of Play apps carry registration. Outside developers must now visit the Android Developer Console to link their packages.
The policy applies only to certified Android devices. Projects such as GrapheneOS fall outside its reach because they lack Google certification. That detail offers limited comfort to those committed to stock firmware or carrier phones in the four initial countries.
Critics still see a broader trend. Android once stood apart from Apple’s closed model. Now Google erects similar barriers, they argue, even if the stated goal remains user protection rather than content control. Scams that trick people into installing malware drove the decision. Verification creates accountability. Once Google removes one bad app, the same developer cannot quickly release another under a new identity.
But the mechanism reaches further than Play Store listings. Any install on certified devices in affected regions eventually funnels through the check. The 9to5Google piece today confirmed the Verifier service will sit ready on devices soon. And the Google blog makes clear that participating stores must comply from day one in those four markets.
Enterprise teams and large publishers face minimal disruption. Most already verified years ago for Play Console access. Smaller independents and open-source maintainers shoulder more work. They must decide whether to pay the fee, submit documents, or limit distribution to 20 test devices. Some may stop supporting certified devices altogether.
Google plans to watch results from the initial markets before the 2027 global push. Feedback loops remain open. The limited distribution accounts and advanced flow both reflect adjustments made after early criticism. Still, the direction holds. Identity checks now stand between developers and their audience on the world’s largest mobile platform.
Developers distributing in Brazil, Indonesia, Singapore or Thailand should check status immediately. Play Console users can see registration gaps on the home page. Others need to create accounts in the new Android Developer Console. The clock ticks toward September 30. After that date, unregistered apps simply will not install from those seven stores on certified phones in the target countries.
The move underscores a larger truth. Security and openness exist in tension. Google chose to tilt the balance toward the former. Whether the added friction delivers meaningful safety or simply consolidates control will become clearer once the first enforcement wave lands. For now, the technical pieces roll forward on schedule. The Verifier service deploys this month. APIs follow in July. Workarounds arrive in August. And on September 30 the restrictions begin.
Discover more from Web and IT News
Subscribe to get the latest posts sent to your email.