Google wants to make sideloading Android apps safer by verifying developers’ identities

Most Android users acquire apps from the Google Play Store, but a small number of users download apps from outside of it, a process known as sideloading. There are some nifty tools that aren’t available on the Play Store because their developers don’t want to deal with Google’s approval or verification requirements. This is understandable for hobbyist developers who simply want to share something cool or useful without the burden of shedding their anonymity or committing to user support. Unfortunately, malicious developers take advantage of this openness and hide behind a curtain of anonymity when distributing malware. To combat this, Google is introducing a major change that pulls back that curtain, making it harder for malicious actors to distribute harmful apps.

What’s changing for apps distributed outside the Play Store?

Today, Google announced it is introducing a new “developer verification requirement” for all apps installed on Android devices, regardless of source. The company wants to verify the identity of all developers who distribute apps on Android, even if those apps aren’t on the Play Store. According to Google, this adds a “crucial layer of accountability to the ecosystem” and is designed to “protect users from malware and financial fraud.” Only users with “certified” Android devices — meaning those that ship with the Play Store, Play Services, and other Google Mobile Services (GMS) apps — will block apps from unverified developers from being installed.

Google says it will only verify the identity of developers, not check the contents of their apps or their origin. However, it’s worth noting that Google Play Protect, the malware scanning service integrated into the Play Store, already scans all installed apps regardless of where they came from. Thus, the new requirement doesn’t prevent malicious apps from reaching users, but it does make it harder for their developers to remain anonymous. Google likens this new requirement to ID checks at the airport, which verify the identity of travelers but not whether they’re carrying anything dangerous.

What information will developers need to submit to Google, and how?

Developers who distribute apps outside the Play Store will need to verify their identity through the new Android Developer Console that Google is currently building. This is equivalent to the Google Play Console that Play Store developers currently use, but Google says it will provide a simpler, more streamlined verification process.

Like the Google Play Console, the Android Developer Console will ask developers to provide their legal name, address, email, and phone number. (Organizations will additionally need to provide their website and a D-U-N-S number.) On Google Play, this information is shown to users on Play Store listings, but Google told Android Authority that the information developers provide to Google through the Android Developer Console “will not be surfaced to users.”

Many hobbyist and student developers already complain about this requirement on Google Play, as it essentially forces them to reveal their personal information unless they set up a business address, so it’s good to see that Android won’t dox them. Google says it understands the needs of hobbyist and student developers are “different from commercial developers” and is therefore creating a “separate type of Android Developer Console account” for them. This separate account type will have “fewer verification requirements” and won’t require the $25 USD registration fee that is otherwise required.

Speaking of which, developers only need to create a separate Android Developer Console account if they don’t plan on distributing any of their apps on Google Play. Developers with existing Google Play Console accounts can use them to register their non-Play apps and signing keys.

When will Google’s new developer verification requirements go into effect?

This new requirement won’t go into effect immediately but will be implemented in phases. An early access program will open in October 2025, allowing developers to participate in discussions, receive priority support, and offer feedback. The program will then open to all developers in March 2026, a full six months before the requirements begin.

The requirements will first go into effect in September 2026 for users in Brazil, Indonesia, Singapore, and Thailand. At that point, any app a user in those countries installs must come from a verified developer. Google is targeting these regions for the initial rollout as they’re “specifically impacted” by fraudulent app scams often committed by “repeat perpetrators.” A global rollout is planned to continue through 2027.

Once the requirement is active, developers can still distribute their apps outside the Google Play Store, but they’ll be held more accountable. This will certainly upset some privacy-conscious developers who don’t want to submit their personal information to Google, and it will also alarm some users who worry that Google is locking down Android too much. Still, with Google’s own analysis finding 50 times more malware from internet-sideloaded sources than from the Play Store, it’s hard to argue this change won’t do some good. However, the true effectiveness of the new requirements won’t be known until they are fully implemented.

Google’s new requirement is similar to Apple’s Developer ID and Gatekeeper model on macOS, which has successfully stopped less sophisticated attacks. Even a small reduction in malware on Android would be a positive outcome, but whether it’s worth the loss of developer anonymity is up for debate.

This article was updated at 1:35 PM ET with more information from Google and screenshots of the Android Developer Console.