Does anyone here actually support Google’s Developer Verification?
I don’t. I’ve put a warning about it in my repo because I’m against policies like sideloading restrictions, forced ID verification.
Curious what other devs here think. Is Play Store still worth the hassle?


Yes I am.
I spend a long time of my career in IT Sec.
80% of android users will freely install whatever APK from wherever.
Info stealer infected fake apps are a massive risk to a huge part of the user base.
Yes, it will get a little bit more complicated to sideload. But nobody is prevented from it.
And everybody that is against user protection (and yes, this is fucking user protection, just not for you) is invited next Christmas to de-worm the android devices of my family without wiping them.
EDIT for all those that only read the memes. Sideloading will NOT be disabled. You have to jump though extra hoops.
Yes, the way they do this is not even testable yet and we can argue over details.
I support the principal idea, as someone who had to live with the fallout of people who installed “it support apps” because someone told them to
I think you should invite people to join you on not one, but two Christmasses to compare before and after. I’m sure they won’t magically fix things this time, at best it would be a little setback not changing much in the end. What it would do is directly giving Google even more power while hurting open source community, alternative appstores and OSes.
I should care because? Do they care about me not wanting google shoved in every aspect of my life?
Then just don’t use an android phone, that’s a choice isn’t it???
“Google shouldn’t have restricted Android, that’s their (anti-user) choice, isn’t it???”
The other party shouldn’t be able to unilaterally chance the terms. It is my phone, after all, and I strongly believe I should be able to do whatever I can with the devices I own.
Even then, what other choice for an usable but actually of property of the user phone do you suggest? iPhone?
It’s also extremely convenient for Google, a company lobbying ID laws, to add ID harvesting; or for Google, a company pushing for anti-user behaviour to add anti-user behaviour. If this was about security, they would stop shipping spyware, and take security seriously, something they do not.
Technically, you can always use the library and the post office, so yeah, it’s a choice. I guess.
How about an apple phone?
Or how about that: projects like Linux and Ubuntu phones died because there was no interest in it, because there was Google. And now, everybody wants an alternative.
They are out there, you can use opensource Android forks, you don’t have to use Google
Soon to be locked out from participating in society because of play integrity, digital IDs and age verification. The EU is very likely to use strictly Apple/Google, the very monopolists they “despise”. Don’t give me the “just go to the post office by foot”… I could also “technically” live in a cave, I guess. Man stfu, your bullshit doesn’t stick here.
Ah another myth “the EU App”, I will not go I to detail, but each member state must implement its own app. Yes, the reference implementation uses Google services currently, but there is not a single , working , published app! Not one.
So I’ll be back at the end of the year, be proven right and you got your pay and your karma anyway.
Proven right with what? To be clear; I can not see in the future and if member states copy the EU implementation 1:1, then at least we can fight against it in that level. Because, an implementation relying ok US Google would violate multiple European regulations.
But as it seems, misinformation and propaganda won, facts are now subjective and we just give up and bow to big corpo, because those shit hats profit from exactly this kind of bullshit.
Most scam apps are in the Google Play Store btw
maybe because it was to easy to upload to the googleplay store. Maybe there should be some kind of verification of the person uploading. How could this be accomplished?
Joking aside I don’t think side loading should be encoumbered like this, but for the official app store it makes sense.
If their IA was so great, they would use it to curate the mess that is their app store…
Spoken like a true Microsoft and Google agent.
Because I think we should protect people that are not tech savvy. I am open for a debate
Your heart is in the right place, but your mind is not.
Google et.al. is pushing for IDV in every segment due to lobby pressure from meta to build REAL user database for advertisement purposes in the age of LLM drivel. Every “protect the *” has meta’s government lobbyists behind it.
There could be alternative approaches, but meta’s goals just so happens to align well with a fascist government’s that thinks they need to stamp out dissenting voices and anonymity.
Not denying that there could be better ways, and also, that was never the question .
Total control and taking away freedom is not negotiable. Not literally, but: “Maybe we should ban programming languages on Windows and Linux too, because it could be used to program viruses. We should protect the not so tech savvy.” See what I mean? Instead we should look forward to a better way of helping them. The proposed way of Google is not acceptable.
A ridiculous and absurd lie. 90% have zero clue what one is, let alone go into the developer settings (there are one, maybe two settings you have to enable) to change the settings to even make that possible. Why are you lying about this? It’s weird.
I am lying? OK, so is:
I have over 2 decades of background in hardcore IT-Sec, i know my stuff. And you? What is your qualification, where are your sources?
I wonder if a statement like this ever once convinced anyone of anything. My guess would be it nearly always has the opposite effect. You basically told me that whatever I know doesn’t matter because “trust me bro”. For all I know, you’re the worst source ever for literally every topic. Your articles didn’t back you up. Why do people bother with shit like this? “I’m an expert so what I say goes” is idiotic and in no way addresses the common sense point I was making: the average person definitely doesn’t know or install apks because of fucking course they don’t. If you said 80% would if scammed, that’s at least plausible but I’m not even sure I could believe that. The well is poisoned now in any case so you’re not convincing anyone here after this… Whatever masturbatory shit this was. Or just shilling for a corporation? Who the fuck knows
He just using the old “Argument from Authority” logical fallacy. I’ve worked with tons of people, even those that did in fact “know their stuff”, that thought it was perfectly valid to dismiss others because of their experience being more extensive than others. Ironically, after I’d prove these people wrong in serious matters (usually several times), I somehow got added to the nebulous authority whitelist in their head. I don’t want to just be believed became I’m dammit, believe me when I’m correct and provide evidence!
That is why I linked sources. I don’t say trust me bro.
You do, actually.
This translates to anyone who isn’t you to:
And again if you’re going to make this 80% claim and then say you sourced it, don’t link shit that’s sort of related but in no way backing up that claim. No one here is saying malware isn’t a problem. You’re getting downvoted for making specific claims which are absurd.
That is a general issue of online debates.
I can not squash 20 years of daily learning into a comment.
I can point you to sources where you can verify it our self. Social engineering studies, blog post about campaigns from other researchers.
Placing m credentials there is my kind of saying “I have insight, ask”, but how do you think should something like this communicated.
We have a highly sensitive topic, with a lot of obsolete or just misinformation.
It is a highly complex topic that can not be simply understood by most persons, but social media opens a place for debate anyways.
There are many other examples for this happening and it is bad. Very bad.
Another example Google wants to get rid of third party cookies. Instead they want to to adspace action on your local system. In our browser, protected. But bad, because Google. Firefox could implement the same API on better, but no, bad because Google.
Google is not the good guy. But just throwing out every fucking Idea because Google Had it (or was forced into it, allowing sideloading again was because of pressure) is just not what we need
This is so much beating around the bush. Somehow you’ve managed to ignore the 15 times I’ve pointed it out: most users do not install apks. That’s all. You claimed they did and I said that was dumb. So anything else is just a distraction from the point I was trying to make. Google is pretty shitty but you might have a point that not everything they do is shitty… But that’s not what the conversation started as. And I don’t really care to change the subject at this point.
How do you now that?
Again, the ability to install a completely unverified APK is used in real, successful, attacks.
The user DOES NOT KNOW WHAT HE IS DOING! That is the entire point!
If users would know what this is and understand, maybe it would be less if a risk.
Given that your first article says nothing about 80% I’m not continuing to click your links.
I was being generous when I said 90%.
Source: I have ever spoken to another human.
Because people do not know what apps are and that they can be installed via sideloading, faked appstores and more, they are vulnerable.
If I ask a “normal” person if the ever drunk di-hydrogen-monoxid they would say no, because they have no idea this is water
Okay either you’re trolling or clueless. Because you just made my argument for me. How exactly are people who don’t know what an app is going to enable side loading and then do it? That makes no sense whatsoever.
How does somebody give his bank account creds to a scammer?
Ok, trolling. Got it.
I am 100% serious. Maybe you should look up what social engineering is and how it works.
People install TeamViewer and other stuff on their desktop, the execute commands in their terminal without nowing what it is.
ou have clearly 0 qualifications to talk about it security
so the real-world id requirement is also user protection? play store is basically an info stealer at this point.
so your family’s devices get their apps from outside the play store?
people are effectivly prevented from sideloading. not “just a little more complicated”
of course nana uses adb exclusively to install apps on her smartphone, after all this is a totally real story about user protection right?
Alternate stores like Accrescent and FDroid are blocked by this policy, and Google refuses to implement any mechanism for authorising at the store level either. Store level authorization is an obvious alternative to verification of each individual app.
Both Accescent and FDroid have some oversight processes in place, and do not contain “random” APKs. Googles actions show the real motive, which is control… not security.
Ok, why are they blocked? Technically? Explainer please
They are de-facto “blocked” for developers that refuse to submit their identity to Google. I think you might not be understanding the implications of Google’s policy, please read this open letter to learn more: https://keepandroidopen.org/open-letter/
If a developer doesn’t submit to identify verification, under the new system their app could not be installed regardless of what store it is distributed on.
Needing individual devs to identify themselves directly to Google is invasive. Stores, however, could identity themselves to Google (or the world) as having security processes in place. Then they could be allowed as official 3rd party stores, similar to how the Linux repository system works.
That is no longer true!
It is what I would call “functionally true”. You have to enable developer mode to install unverified apps. A very, very small subset of users are going to do that.
https://android-developers.googleblog.com/2026/03/android-developer-verification.html?m=1
If you have more information on this, please share.
You have to enable it. And I would love a dedicated switch.
Currently, you need to enable third party install sources.
And one could argue that the fact that most people will not enable developer mode is a clear sign that this is a protection.
In my very very personal opinion: people that do not want to enable developer mode should maybe not install apps from third parties. Developer mode itself unlocks a few switches, and none of them is enabled per default. This is a pretty safe action IMHO.
There is a way to avoid this, but this is the device owner mode. You need an app that takes full control over device ownership, and those apps are allowed to do anything including installing any app.
One example is OwnDroid.
An opensource app that is signed by a dev and allows to manage install sources would be a working solution with better security.
If someone builds it
IMO the answer from a security perspective is that the Linux distro “official repo” model is about as good as it gets. However somehow we still have Fedora COPR, openSUSE OBS, Arch AUR, etc. Those are essentially like FDroid. If someone can solve the problem of why apps can’t be easily just added and controlled in the official repos, maybe we’d be getting somewhere. Seems to be an industry issue.
100% Agreement
For someone who possibly considers themselves better informed than others, you’re seem to be missing the fact that Google’s plan had no option for sideloading unverified apps until a sizeable outcry from us (a lot of professional developers and users). Unverified app installation was only allowed (via new hoops) after this action. For now. The fact that Google’s plan did not have an option for installing unverified apps shows us what they really want. Therefore it won’t be surprising if they make it increasingly difficult or impossible in the future.
I’m pretty sure they originally planned to allow sideloading through ADB, but I might be mistaken.
I think I recall the same. Otherwise development would be a nightmare. But then again, that isn’t remotely equivalent to sideloading (as colloquially understood) and would still kill F-Droid. Not saying you’re saying it’s equivalent.
What Apple does is they give you a temporary certificate that expires in a week.
Works for development. Makes actually using your own apps impossible.
– Frost
Nobody asked if I would be fine with disabling sideloading. The answer would be no
So with your career in ITSec, you’re aware of the massive amount of malware found in the play store? That it has historically been the main distribution vector for malware?
You are downplaying the hoops here by a lot. To install software on my own phone.
Stop calling installing software “side loading”. Its nonsense.
I k ow that the Playstore is also full of crap, I don’t deny this.
But, just because our back window does not close correctly, do you leave the front entrance open?
Not the best analogy maybe, but a visual one
Except you have it backwards. The play store is the primary vector. The play store is also pre-installed on Android devices, and even without the whole verification nonsense, you still need to allow a different app repository to install.
Not cleaning their own play store up first means it has nothing to do with what they are claiming. And lets be candid - they have absolutely not.
The analogy is bad specifically because its not reflecting the issues anywhere near accurately. This is closing a window on the second floor while the front door is wide open with a sign that says “Come on in!”.
That assumes that Google does not do anything about the appstore and that is objectively not true.
Is it enough? No ideas, but still, it does not change the need for better endpoint security.
I firmly disagree. The issue has nothing to do with the endpoint. They have done very little with the play store relative to this massively impactful change to installation practices in creating a walled garden - precisely the reason many, myself included, chose not to go with iOS in the first place.
So the very idea that this is an endpoint security issue rather than an app store issue is, to me, laughable at best.
Then we agree to disagree.
I think we are manly on the same page, but different opinions on priority and that’s fine.
I declare both as a risk.
From my perspective, with this change, we could make Google directly reliable for malware in the appstore.
While this started as a very anti consumer change, as long as sideloading stays possible, this is a good measure.
There is no reason they shouldn’t be now. Developer verification for the play store is one thing. Developer verification for installing an application on your own device is wholly separate.
And one is substantially higher risk than the other. Namely, the play store. As we recently saw with tens of millions of downloads from just a handful of apps in the play store. Does requiring this developer verification on a device resolve that problem? No. Not even remotely, does it?
As long as it impacts the device use (it does), it still is.
I’m leaving Android over this. I doubt I’ll be the only one.
Good! I hope alternative mobile operating systems get traction out of this!
And again, there is no verification need anymore! That is exactly why I am so pissed about this debate in general.
Is the workflow simple? No. Is the 24hour period comfortable? No. Do I understand why? Yes, but one or two hours would be enough
At least make it a toggle, like you need to request access for your account for your phone.
Kneecapping everyone because idiots exist is idiotic.
It is a toggle. they just locked said toggle behind a 24 hour time lock. It’s ridiculous. I think if they kept it the way it was without said time lock it wouldn’t be anywhere near as controversial.
I don’t want Google to control how many and often I install apps or update them. Imagine having this 24 hour time lock on your PC. Do you know how many people get scammed or malware on PC? Should this be adopted everywhere, because its a good solution? Off course its ridiculous. 24 hour time lock is not acceptable solution. The is literally the worst toggle I have seen in my life.
That’s not even the only issue. Developers have to give their identity / pass to Google. That alone is a multi-worm-level of issue. Google doesn’t care about its users, they only care about controlling the market and everyone.