Google details new 24-hour process to sideload unverified Android apps

The "advanced flow" will be available before verification enforcement begins later this year.

See full article...

 

[Train of Thought]

I've been running GrapheneOS on my Pixel for six months now with zero issues. Highly recommend to those with compatible devices.

Google can fuck right off with their enshittified bullshit disguised as "safety".

ETA: When I pay for a computer it needs to do what I tell it to do, when I tell it to. Nothing more, nothing less. For those of you who read this that work for these companies....for the love of fucking christ, stop being evil.

You're absolutely right, I have also enjoyed a Pixel with GrapheneOS for a long time.

SeedVault and Duress PIN are killer apps.

But unfortunately, there are many hidden obstacles ahead of us.
Google has been moving more and more out of AOSP and into closed source, including the drivers.
This makes it significantly harder for Graphene, Calyx, and Lineage to provide us with updates going forward.

Fortunately, it looks like Motorola is picking up the baton where Google is about to throw us under the bus.
It is very possible that Motorola is entering its golden age.

https://motorolanews.com/motorola-three-new-b2b-solutions-at-mwc-2026/

Let’s hope they include a 3.5 mm jack and SD card support, along with a great camera.
If so, they will have the best phone on the market by a wide margin.

 

[auhim]

I am really hoping the fall of American tech abroad will mean that in the next 5 years we have a real (open source) alternative to platforms owned by either Google or Apple with broad app support. I don't care if it's a deGoogled Android fork (easier as a third common app deployment target), a mainstream Linux phone, or something else.

 

[Train of Thought]

I am really hoping the fall of American tech abroad will mean that in the next 5 years we have a real (open source) alternative to platforms owned by either Google or Apple with broad app support. I don't care if it's a deGoogled Android fork (easier as a third common app deployment target), a mainstream Linux phone, or something else.

I think one of the options that will fulfill your wish is Fairphone with MurenaOS (/e/OS)

 

[ktmglen]

I am really hoping the fall of American tech abroad will mean that in the next 5 years we have a real (open source) alternative to platforms owned by either Google or Apple with broad app support. I don't care if it's a deGoogled Android fork (easier as a third common app deployment target), a mainstream Linux phone, or something else.

It really is crazy we let two companies from a single nation dictate the smart phone experience for 8 billion-ish people.

 

[Train of Thought]

It really is crazy we let two companies from a single nation dictate the smart phone experience for 8 billion-ish people.

Yep, and what’s even more crazy is that the banks here in Scandinavia are well underway with tying us to the masts of these 'sinking ships' through their Digital ID.
This ID gives us access to banking, healthcare, the transport authority, and more.

You must have either an iPhone or a 'certified' Google phone (meaning those that crushes privacy) to access your digital ID.
Both phones are equally bad.

 

[reyan]

Yours is understatement. The Play Store is a hot mess, F-Droid is safer in totality, many thanks to the developer community, and its not so much a bit funny as quite hilarious albeit the laughter is the laughter of irony.

Would a scammer pushing a non-verified bad app really do so by trying to publish it on f-droid?

 

[bert23]

The good news is that Linux phones, while still alpha quality, are wayyyyy beyond where they were about 3 years ago.

We are definitely in need of a third option but is a linux phone really a good option? that's what android is, a phone OS built on top of the linux kernel.

There's a huge amount of work involved to keep android up to date with the mainline kernel. A lot of regressions to deal with etc. Then of course phone manufacturers needing to rebase their phone on the new kernels too. Maintaining LTS releases is a huge amount of work too.

Why is all that needed? There's so much in the linux kernel that is unnecessary. So many security vulnerabilities as a result. All the work involved due to being downstream.

If we're going to have a serious third option it should be using a purpose built microkernel. That's what Huawei have done with HarmonyOS NEXT, their android replacement.

Just because linux exists doesn't mean that's the right way to go.

 

[ReaderBot]

So the downside is that I have to wait 24 hours before I can install F-Droid on my next phone.

The upside is that scammers cannot trick clueless users to install malware as easy.

I can live with this.

You forgot the other upside. Every developer on F-Droid now owes Google $25 for absolutely nothing in return.

 

[ReaderBot]

Yeah, I'm in your camp here as well. This whole process actually seems somewhat reasonable. I know it's fashionable here to consider Google to be The Great Satan, but it seems at least possible that they're actually trying to combat bad actors. Sure there's malware in the Play Store, but they are trying to manage it. There's also bad stuff in Apple's App Store, and none of the stuff in the official stores is as bad as the apps that unwary users get tricked into installing by scammers.

I think, overall, the Ars commentariat is probably too hard on Google. They've built a relatively open ecosystem. OSes like GrapheneOS couldn't exist without AOSP, and even the devs on that product appear pretty frequently to get exhausted by all of the anti-Google vitriol. Android today really is a mess of malware and scamware, and it's bad for Google, and Google's brand, and their users.

Sure, Google is an advertising company, but they actually don't sell user data; they just use that data to place ads. Apple collects the same exact data in the same exact way; they just use it internally and don't allow marketers to use it for ads. Also, Apple supports a tyrannical regime in China and doesn't allow any user freedom at all, while Google left China out of principle and publishes source code for one of the most complex pieces of software in existence.

Yeah, I'd love it if Google didn't do any surveillance and somehow funded AOSP with magic money, but that's not a particularly reasonable request. They could be better, but in this case, I'm willing to give them some benefit of the doubt. 24 hours one time per phone is just not a big deal.

Your bully isn't a nice guy just because he lets you pay him $25 to stop punching you in the face.

Every justification attempted for this suddenly "necessary" lockdown is a transparent lie.

 

[fenncruz]

But allowing us to turn off the 24 hour wait after the first time permanently would be so much better.

You mean like how the article mentions there's an "allow indefinitely" option?

 

[reyan]

We are definitely in need of a third option but is a linux phone really a good option? that's what android is, a phone OS built on top of the linux kernel.

There's a huge amount of work involved to keep android up to date with the mainline kernel. A lot of regressions to deal with etc. Then of course phone manufacturers needing to rebase their phone on the new kernels too. Maintaining LTS releases is a huge amount of work too.

Why is all that needed? There's so much in the linux kernel that is unnecessary. So many security vulnerabilities as a result. All the work involved due to being downstream.

If we're going to have a serious third option it should be using a purpose built microkernel. That's what Huawei have done with HarmonyOS NEXT, their android replacement.

Just because linux exists doesn't mean that's the right way to go.

They probably are saying that because open source mobile software stacks using Linux actually exist.

 

[Kitkoan]

I kind of think this article should've included information about why they are actually doing this: the Epic lawsuit rulings. Where Apple got off lighter than Play Store because of the open garden.

I think it's a bit more than just the Epic lawsuit. Google is getting hammered with Android and their policies not just in the USA, but in Europe too.

Issue is, while Apple has been required to allow side loading there, they have also been allowed to demand extra fee's for that requirement (core technology fee's, etc...). Google I think is reading the room and seeing that if company A is allowed to add fee's like that and get the governments blessings, why shouldn't they? Why would they leave money on the table that is obviously approved by different governments?

 

[dreilide]

So the downside is that I have to wait 24 hours before I can install F-Droid on my next phone.

The upside is that scammers cannot trick clueless users to install malware as easy.

I can live with this.

And this is precisely how massive corporations get you to give up your rights to them. You can live with this seemingly innocuous change, but they've just shifted the window in their favor. The next shift will no doubt also feel "acceptable".

 

[ReaderBot]

I'd like to see their statistics. I'm curious how many installs these nefarious side-loaded apps have vs. the verified-by-Google malware that comes from the Play Store.

 

[StevoTheDevo]

The only disappointing thing for me is that it took kicking up a stink for this to be a thing (assuming Google follow through and it is a thing and is a thing on the day or prior to Google turning on this new requirement).
Otherwise, it seems like an OK compromise position to me.
If you ever intend on sideloading, you probably also have a fair understanding of the associated risks, authorise the handset, wait the 24 hours and you're done life is as normal today (in fact sideloading sounds like it might be even smoother!)
For the 99% who have no idea what sideloading even is, the additional hoops to jump through, plus the 24 hours delay is a fair hurdle to protect them from malicious actors.
And Devs who do not wish to authenticate with Google can continue to not authenticate with Google.

 

[StevoTheDevo]

And this is precisely how massive corporations get you to give up your rights to them. You can live with this seemingly innocuous change, but they've just shifted the window in their favor. The next shift will no doubt also feel "acceptable".

Unless I've missed something, waiting 24 hours is legitimately the only major change here. That's a grain of sand's worth of movement on the alleged slippery slope.

 

[dreilide]

Unless I've missed something, waiting 24 hours is legitimately the only major change here. That's a grain of sand's worth of movement on the alleged slippery slope.

Imagine having to wait 24 hours before installing whatever software you wanted on Windows or macOS. It's an absurd suggestion.

And, like I said earlier, this is a requirement that can be very easily ratcheted to become increasingly burdensome over time. A slippery slope is not inherently a logical fallacy unlike the alleged security argument being used to push this corporate control over other people's computing devices.

 

[StevoTheDevo]

Imagine having to wait 24 hours before installing whatever software you wanted on Windows or macOS. It's an absurd suggestion.

And, like I said earlier, this is a requirement that can be very easily ratcheted to become increasingly burdensome over time. A slippery slope is not inherently a logical fallacy unlike the alleged security argument being used to push this corporate control over other people's computing devices.

I think you're missing that the 24 hours thing can be a once and done thing, if you choose it to be so.

And I don't have to "Imagine having to wait 24 hours before installing whatever software you wanted on Windows or macOS." or Linux, or iOS for that matter. Daily life enforces that scenario whenever I need to set up a new device.
If it takes me less than a week to have a new device fully up and running the way I'd like to daily drive it, then it's been a very quiet week. It's a time consuming and tedious task, the sort of thing you procrastinate doing cause it's so boring even if you did have nothing to do for 12 hours.
Adding a 24 hour hurdle introduces a very marginal change to the order of installation and setup.

 

[AlaskanDruid]

... .... no.

1. I've been a developer since 2016 and paid the $25 then, and had to provide my ID, etc to verify myself.. so that is -not- new.
2. Just found out late last month that since I haven't released anything recently.. Google decided to just.. block the account. How do I release more stuff? Pay.. again, create a new account with a new email address, and not permitted to continue updates, etc of my existing apps.. but I can make new ones under a new name.. (herp derp).
3. As for the "new" steps.. errr

First step has been around since at least 2016. Second step literally does not exist ("Allow Unverified Packages" is no where to be found). The rest of the steps are moot due to missing #2.

Ah, and this isn't limited to Android Phones. Tablets are restricted the same.

This would be less scammy if Google didn't force developers to continuously pay every so often.

 

[Bzored]

You won't own your hardware and you will like it.

 

[hizonner]

I don't like it, but I could probably live with it, which is more than I can say for their past positions. Still not sure it'll do anything. You can't fix stupid.

 

[dreilide]

I think you're missing that the 24 hours thing can be a once and done thing, if you choose it to be so.

Nope. I fully understand this just fine. I own the device. It is mine. The 24 hour waiting period, even once, is wholly unacceptable.

And I don't have to "Imagine having to wait 24 hours before installing whatever software you wanted on Windows or macOS." or Linux, or iOS for that matter. Daily life enforces that scenario whenever I need to set up a new device.
If it takes me less than a week to have a new device fully up and running the way I'd like to daily drive it, then it's been a very quiet week. It's a time consuming and tedious task, the sort of thing you procrastinate doing cause it's so boring even if you did have nothing to do for 12 hours.
Adding a 24 hour hurdle introduces a very marginal change to the order of installation and setup.

I'm sorry, but this is an exceptionally lame cop out. You personally need a week to setup an OS so the entirely artificial 24 hour waiting period (like I'm buying a gun ffs) is therefore reasonable to foist on literally everybody? You cannot possibly be serious. "I drag my feet when setting up a new computer so therefore it's okay to surrender my and everybody else's sovereignty to a massive corporate entity." Helluva an argument you got there.

 

[mrlitsta]

This is infuriating. The reason I have a. Android phone is so I can have a prayer of treating my phone like a general purpose computer. I despise the trend of locking everything down and God help us all if a government decides to actually leverage some of the nanny surveillance state garbage we've let creep into our tech over the past 20 years. Lockable bootloaders were a harbinger of things to come, TPM being chief among them.

 

[abazigal]

It really is crazy we let two companies from a single nation dictate the smart phone experience for 8 billion-ish people.

Hardly. The alternatives was to continue using Symbian with crappy mobile apps, because it’s clear we were never going to see the level of innovation needed to make modern smartphone ecosystems happen anywhere else.

 

[CalpurniaScroop]

You only have to select the “indefinitely” option once on a phone, and you can turn dev options off again afterward.

Is that confirmed? I didn't see that in Google's article, and the "developer mode" page says that all changed settings will be reverted when disabling it again.

 

[pseudonomous]

You need some sort of a computer to write Android apps too, don't you?

I already had one of those, so thar was no extra expense. It was not, however, a Mac, and Apple didn't release an iOS SDK for Linux, which is where I would want to do my dev work.

It turns out, though, that you actually don't necessarily need a separate computer to do dev work on Android. See:

https://android.processing.org/gallery/

 

[TheCrackLing]

It's obviously smarter than that.

You need to upload a photo of yourself holding up a copy of tomorrow's New York Times.

What if I only have the Chicago Sun-Times? Pesky cat always shows up with it too.

 

[XSportSeeker]

Ok, so, this means the end of FOSS on Android as we know it.

Sh*tty as it is, as it was always going to be, this effectively confirms that Google is NOT backtracking jacksh*t like they promised to do, and they are in fact doubling down on going full walled garden mode.
For those not following the story on the privacy and security side, this has been announce a while ago, Google backtracked after a backlash saying they'd find a way to create exceptions or make it not affect stores like F-droid, rumors came out that they were actually going to implement it anyways, and this seems to be confirmation of that.

This further accelerates the need and speed of development of what I have personally thought years ago was necessary either way - to stop trying to make Android and AOSP projects work, and redirect towards some other OS, could also be Linux based, that is fully and completely free of Big Tech influence and control.

And I'm already predicting that if things continue going this way, we might have to jump architectures too - like Risc V instead of ARM or x86, just to note.

I mean, sure, you can still go with custom ROMs with this, just to escape some of the abuse that is coming. But mainstays of FOSS apps on Android, as explained in detail by F-droid and others, will get severely crippled if not entirely killed with this. Google knows this, and they are doing it anyways.

Don't buy into their BS security promises, it's just standard Big Tech lies. Almost no one sideloads or get apps from alternative stores, most alternative stores are far safer and more consistent in their security and privacy rules in comparison to Google Play Store, and there was no need to take all the steps they are doing if the only objective was improving safety on the platform.

So, it is yet another demonstration (out of who knows how many hundreds or thousands of others) on how far Big Tech is willing to go to remove consumer choice, force developers to pay or surrender their private data even if it is just to develop FOSS apps in their platform, and it should be obvious by now that this is only getting worse, they are only ramping up things, they are only forcing things through, because it's purely line goes up economics.

This is, straight out, a move to cripple/kill FOSS as a safer and more private alternative on Android.

It also demonstrates the importance of things like Firefox. If Google is willing to take this much of a huge dump on top of Android users, it's no doubt also willing to do this for Chromium and other Google controlled or top heavy open source projects - also a reason why I don't trust RCS' shift towards a security layer for E2E message encryption (MLS) that is controlled by a consortium that Big Tech is part of.

I'm also now redoubling efforts to keep submitting complaints to banks and government related apps that are still using Google APIs that effectively forces you to use Android with Google. I need alternatives, even if is to use those services via browser only, so that I can move away from Big Tech entirely.

 

[Hezio]

I see that I am in the minority with this opinion, but I think the 24-hour cooldown is a really good compromise to help prevent coercion and, more likely, someone with temporary unauthorized access. And for the power user who needs to sideload apps all the time, it doesn't seem too onerous to wait 24-hours once when you get the phone and set it to indefinitely allow.

The $25 fee and other hurdles for developers seems like the much bigger issue here.

If it's social engineering, they'll just be instructed to download stuff from the Play Store like Team Viewer anyway, so this shit is pointless.

If it's someone that has taken your phone or detained you, they have no trouble waiting 24 hours or longer even if they want to.

So no, this is completely pointless.

 

[liquidblueocean]

So other app stores have to pay Google, and all their vendors have to pay Google? Sounds anti competitive when Google has power over the apps your store vends

 

[Kazper]

You mean like how the article mentions there's an "allow indefinitely" option?

No. That means unverified installs are allowed indefinitely. I want to be able to toggle that on and off without waiting 24 hours after the first 24 hour wait.

 

[veldrin]

I assume this is your typical public/private key situation where Google gets the public key so they can verify the apps are signed by the dev private key. They can't sign something as the dev just verify the packages are from a particular dev who has been verified.

I don't think the $25 for verifying is that bad. It's a one time thing for an account as far as I can tell. That's pretty minimal and then you can presumably release as many apps as you want with any updates you want at any time. You don't want to make it completely free because people abuse the verified accounts and treat them as disposable. At least if you've got a minor fee there is some cost and you can do things like looking for someone verifying dozens or hundreds of accounts with the same payment info to try to prevent abuse.

I also think the 24 hours thing is fine. Your average user is never going to go into this in the first place. If you know you want to be able to side load things just go in and do this when you first setup the phone and set it to indefinite. You've now opened it up to side load as much as you want with out any delays. You've got your behavior that you want. I don't have a problem with the assumption that your typical person suddenly wanting to sideload something is probably being scammed and a 24 hour road block is probably a good thing.

I think this is a reasonable take. I am not at all happy about these restrictions, but I'm more mad at the scammers who make it necessary to put up the roadblocks to prevent non-technical users from being marked than I am at Google for making it harder for people to get scammed.

 

[zdanee]

I am so sick and tired of this freefall we've had the last year and a half... We all knew having a monopoly is bad, that's why we had antitrust laws, and yet here we are again, one giant corporation telling the rest of the world what they are allowed or not allowed to do with the device they own. Want to keep using the old one? We'll just change the networks so you'll have to ditch it, and mandate updates in the meantime so you can keep using your apps. Apps that are no longer just entertainment and convenience, it is your payment method, your ID, you link to your family. We have it all in the grasp of our greedy hands, F U and your family, you are a worthless pebble, even less, a grain of sand under our feet, give us your information, you money then please go d1e in a hole, thx! Oh, you don't like it?! But we do it "for the children!" So you hate children? I bet you also diddle them too! Here, have this A.I. mis-identify you from a security footage, you go to jail now! Ha-ha!

 

[NeoMorpheus]

Not that I agree 100% with this, but its partially reasonable.

I know is taboo in here to say this, but I would love t have the same option on iOS devices.

Plus I wish that more effort was made in forcing these manufactures to allow unlocking the bootloader so I can install another OS if I want and yes, also include iOS devices.

Its insane to think that you pay over a thousand dollars for a device that you simply have no control or say about it.

 

[contrasia]

So on my Samsung S24, they've already removed even the ability to enable Unverified Sources under Dev options, so unless they bring that option back, I won't even be able to follow even the basic first part of the instructions. It's a standard Samsung phone, so I'm concerned that since Google is implementing the restrictions, the function to regain the function won't be rolled out equally to locked OEM mobiles.

My S24 has been without the feature since the last patch, and I've been suffering a fair bit without it.

 

[MechR]

So on my Samsung S24, they've already removed even the ability to enable Unverified Sources under Dev options, so unless they bring that option back, I won't even be able to follow even the basic first part of the instructions. It's a standard Samsung phone, so I'm concerned that since Google is implementing the restrictions, the function to regain the function won't be rolled out equally to locked OEM mobiles.

My S24 has been without the feature since the last patch, and I've been suffering a fair bit without it.

Big if true. I tried finding other reports of this online to confirm, but instead found that they've been removing recovery-menu options, including ADB sideloading.

 

[ClemCa]

One time fees never stay that way.

And this is yet another step Google is taking in the long road to coerce people into stopping modifying their phones from surveillance capitalism stock. It has been going this way for years. Arguably since Samsung debuted Knox and corporate America thought that Knox was a great idea.

Also they may do the same shit they do on Google Play, where they will close your dev account for inactivity, and the only option is to create a new one and pay again. Not publishing anything for a year or two is not a sin.

 

[pseudobscura]

Avoid unauthorized malware on your phone while Google harvests everything you do and create to train their next shitty LLM.

"At Google, we pride ourselves on allowing only authorised malware on our platforms ..."

 

[entropy_wins]

I would bet $10,000 that Google won't verify the developer of any app that gets around ads in YouTube. Why take $25 from one dev when they can take $23/month/user indefinitely?

This isn't to combat malware. It's to reduce the simplicity of installing apps that reduce income for Google. They won't say that though.

well Google should have been broken up years ago - but that's why they formed "Alphabet".

The shell game for liability is why "Meta" is holding "FB" etc....

The best search engine on the planet is one that shows you what you want.

The best ad engine on the planet is one that shows you what you need.

We have the worse of both worlds with the current Google search....

 

[auhim]

I think one of the options that will fulfill your wish is Fairphone with MurenaOS (/e/OS)

I have an old Pixel 6 Pro from a previous job that I've run both /e/OS (community build) and Graphene (officially supported) on to test. Subjectively I don't feel either is mainstream ready yet, especially with app support which is going to require some ecosystem building. They both have their solutions for running Google Play Store apps (after you retrieve the Google Play Store itself) but it's still a compromised experience because of the way apps expect official Android.

I can optimistically imagine a few years of development on the tech, economic, and political sides that translate to people being able to run something similar to one of these branches and a Europe-based app store (one of many, ideally!) that gets releases about the same time Google's does while eschewing Google-specific APIs.