{"id":16332,"date":"2026-03-20T10:50:18","date_gmt":"2026-03-20T17:50:18","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=16332"},"modified":"2026-03-21T06:51:11","modified_gmt":"2026-03-21T13:51:11","slug":"google-details-new-24-hour-process-to-sideload-unverified-android-apps","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2026\/03\/20\/google-details-new-24-hour-process-to-sideload-unverified-android-apps\/","title":{"rendered":"Google Details New 24-Hour Process To Sideload Unverified Android Apps"},"content":{"rendered":"\n<p>Verified developers is just a money grab, costing devs $25 to register. And this 24 hour waiting period is pretty odd, which just goes along with making this a pain so only the most persistent will bother. I&#8217;d bet money the foundation of this will allow them to disable it at a later date with the right impetus, with a further lockdown of your device inbound, including agentic AI spyware. A Graphene OS phone will soon become a requirement. And since Android is opensource, this is why they&#8217;ve been working on a replacement phone OS. Consequently, I use F-Droid which is an opensource alternative to the Google Play Store, and have replaced most of the Google apps with opensource alternatives to limit tracking, with a huge one being the <a href=\"https:\/\/jasonsblog.ddns.net\/index.php\/2022\/06\/26\/android-privacy-keyboard-anysoftkeyboard\/\" target=\"_blank\" rel=\"noreferrer noopener\">keyboard you use<\/a> along with dialer, contacts, SMS client&#8230;<\/p>\n\n\n\n<p><a href=\"https:\/\/arstechnica.com\/gadgets\/2026\/03\/google-details-new-24-hour-process-to-sideload-unverified-android-apps\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/arstechnica.com\/gadgets\/2026\/03\/google-details-new-24-hour-process-to-sideload-unverified-android-apps\/<\/a><\/p>\n\n\n<div class=\"wp-block-ub-divider ub_divider ub-divider-orientation-horizontal\" id=\"ub_divider_72c0c5e2-8a32-4770-b3a7-5e2eb9e81245\"><div class=\"ub_divider_wrapper\" style=\"position: relative; margin-bottom: 2px; width: 100%; height: 2px; \" data-divider-alignment=\"center\"><div class=\"ub_divider_line\" style=\"border-top: 2px solid #ccc; margin-top: 2px; \"><\/div><\/div><\/div>\n\n\n<h5 class=\"wp-block-heading\">The \u201cadvanced flow\u201d will be available before verification enforcement begins later this year.<\/h5>\n\n\n\n<p>By Ryan Whitwam<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2026\/03\/developer-identity-hero-1152x648.jpg\" alt=\"\"\/><\/figure>\n\n\n\n<p>Google is planning big changes for Android in 2026 aimed at combating malware across the entire device ecosystem. Starting in September, Google will begin <a href=\"https:\/\/arstechnica.com\/gadgets\/2025\/08\/google-will-block-sideloading-of-unverified-android-apps-starting-next-year\/\">restricting application sideloading<\/a> with its developer verification program, but not everyone is on board. Android Ecosystem President Sameer Samat tells Ars that the company has been listening to feedback, and the result is the newly unveiled advanced flow, which will allow power users to skip app verification.<\/p>\n\n\n\n<p>With its new limits on sideloading, Android phones will only install apps that come from verified developers. To verify, devs releasing apps outside of Google Play will have to provide identification, upload a copy of their signing keys, and pay a $25 fee. It all <a href=\"https:\/\/arstechnica.com\/gadgets\/2026\/03\/with-developer-verification-googles-apple-envy-threatens-to-dismantle-androids-open-legacy\/\">seems rather onerous<\/a> for people who just want to make apps without Google\u2019s intervention.<\/p>\n\n\n\n<p>Apps that come from unverified developers won\u2019t be installable on Android phones\u2014unless you use the <a href=\"https:\/\/android-developers.googleblog.com\/2026\/03\/android-developer-verification.html?m=1\">new advanced flow<\/a>, which will be buried in the developer settings.<\/p>\n\n\n\n<p>When sideloading apps today, Android phones alert the user to the \u201cunknown sources\u201d toggle in the settings, and there\u2019s a flow to help you turn it on. The verification bypass is different and will not be revealed to users. You have to know where this is and proactively turn it on yourself, and it\u2019s not a quick process. Here are the steps:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable developer options by tapping the software build number in About Phone seven times<\/li>\n\n\n\n<li>In Settings &gt; System, open Developer Options and scroll down to \u201cAllow Unverified Packages.\u201d<\/li>\n\n\n\n<li>Flip the toggle and tap to confirm you are not being coerced<\/li>\n\n\n\n<li>Enter device unlock pin\/password<\/li>\n\n\n\n<li>Restart your device<\/li>\n\n\n\n<li>Wait 24 hours<\/li>\n\n\n\n<li>Return to the unverified packages menu at the end of the security delay<\/li>\n\n\n\n<li>Scroll past additional warnings and select either \u201cAllow temporarily\u201d (seven days) or \u201cAllow indefinitely.\u201d<\/li>\n\n\n\n<li>Check the box confirming you understand the risks.<\/li>\n\n\n\n<li>You can now install unverified packages on the device by tapping the \u201cInstall anyway\u201d option in the package manager.<\/li>\n<\/ul>\n\n\n\n<p>The actual legwork to activate this feature only takes a few seconds, but the 24-hour countdown makes it something you cannot do spur of the moment. But why 24 hours? According to Samat, this is designed to combat the rising use of high-pressure social engineering attacks, in which the scammer convinces the victim they have to install an app immediately to avoid severe consequences.<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide\"><a class=\"cursor-zoom-in\" href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2026\/03\/advanced-flow.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2026\/03\/advanced-flow.png\" alt=\"bypass advanced flow UI\"\/><\/a><figcaption class=\"wp-element-caption\">You\u2019ll have to wait 24 hours to bypass verification. Credit: Google<\/figcaption><\/figure>\n\n\n\n<p>\u201cIn that 24-hour period, we think it becomes much harder for attackers to persist their attack,\u201d said Samat. \u201cIn that time, you can probably find out that your loved one isn\u2019t really being held in jail or that your bank account isn\u2019t really under attack.\u201d<\/p>\n\n\n\n<p>But for people who are sure they don\u2019t want Google\u2019s verification system to get in the way of sideloading any old APK they come across, they don\u2019t have to wait until they encounter an unverified app to get started. You only have to select the \u201cindefinitely\u201d option once on a phone, and you can turn dev options off again afterward.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Choice vs. security<\/h2>\n\n\n\n<p>According to Samat, Google feels a responsibility to Android users worldwide, and things are different than they used to be with more than 3 billion active devices out there.<\/p>\n\n\n\n<p>\u201cFor a lot of people in the world, their phone is their only computer, and it stores some of their most private information,\u201d Samat said. \u201cOver the years, we\u2019ve evolved the platform to keep it open while also keeping it safe. And I want to emphasize, if the platform isn\u2019t safe, people aren\u2019t going to use it, and that\u2019s a lose-lose situation for everyone, including developers.\u201d<\/p>\n\n\n\n<p>But what does that safety look like? Google swears it\u2019s not interested in the content of apps, and it won\u2019t be checking proactively when developers register. This is only about identity verification\u2014you should know when you\u2019re installing an app that it\u2019s not an imposter and does not come from known purveyors of malware. If a verified developer distributes malware, they\u2019re unlikely to remain verified. And what is malware? For Samat, malware in the context of developer verification is an application package that \u201ccauses harm to the user\u2019s device or personal data that the user did not intend.\u201d<\/p>\n\n\n\n<p>So a rootkit can be malware, but a rootkit you downloaded intentionally because you want root access on your phone is not malware, from Samat\u2019s perspective. Likewise, an alternative YouTube client that bypasses Google\u2019s ads and feature limits isn\u2019t causing the kind of harm that would lead to issues with verification. But these are just broad strokes; Google has not commented on any specific apps.<\/p>\n\n\n\n<figure class=\"wp-block-image alignwide\"><a class=\"cursor-zoom-in\" href=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2026\/03\/sideloading-choice.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2026\/03\/sideloading-choice.png\" alt=\"\"\/><\/a><figcaption class=\"wp-element-caption\">Google says sideloading isn\u2019t going away, but it is changing. Credit: Google<\/figcaption><\/figure>\n\n\n\n<p>Google is proceeding cautiously with the verification rollout, and some details are still spotty. Privacy advocates have expressed concern that verification will create a database that puts independent developers at risk of legal action. Samat says that Google does push back on judicial orders for user data when they are improper. The company further suggests it\u2019s not intending to create a permanent list of developer identities that would be vulnerable to legal demands. We\u2019ve asked for more detail on what data Google retains from the verification process and for what length of time.<\/p>\n\n\n\n<p>There is also concern that developers living in sanctioned nations might be unable to verify due to the required fee. Google notes that the verification process may vary across countries and was not created specifically to bar developers in places like Cuba or Iran. We\u2019ve asked for details on how Google will handle these edge cases and will update if we learn more.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Rolling out in 2026 and beyond<\/h2>\n\n\n\n<p>Android users in most of the world don\u2019t have to worry about developer verification yet, but that day is coming. In September, verification enforcement will begin in Brazil, Singapore, Indonesia, and Thailand. Impersonation and guided scams are more common in these regions, so Google is starting there before expanding verification globally next year. Google has stressed that the advanced flow will be available <em>before<\/em> the initial rollout in September.<\/p>\n\n\n\n<p>Google stands by its assertion that users are 50 times more likely to get malware outside Google Play than in it. A big part of the gap, Samat says, is Google\u2019s decision in 2023 to begin verifying developer identities in the Play Store. This provided a framework for universal developer verification. While there are certainly reasons Google might like the control verification gives it, the Android team has felt real pressure from regulators in areas with malware issues to address platform security.<\/p>\n\n\n\n<p>\u201cIn a lot of countries, there is chatter about if this isn\u2019t safer, then there may need to be regulatory action to lock down more of this stuff,\u201d Samat told Ars Technica. \u201cI don\u2019t think that it\u2019s well understood that this is a real security concern in a number of countries.\u201d<\/p>\n\n\n\n<p>Google has already started delivering the verifier to devices around the world\u2014it\u2019s integrated with Android 16.1, which launched late in 2025. Eventually, the verifier and advanced flow will be on all currently supported Android devices. However, the UI will be consistent, with Google providing all the components and scare screens. So what you see here should be similar to what appears on your phone in a few months, regardless of who made it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Verified developers is just a money grab, costing devs $25 to register. And this 24 hour waiting period is pretty odd, which just goes along with making this a pain so only the most persistent will bother. I&#8217;d bet money the foundation of this will allow them to disable it at a later date with [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-16332","post","type-post","status-publish","format-standard","hentry","category-tech","category-world"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=16332"}],"version-history":[{"count":3,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16332\/revisions"}],"predecessor-version":[{"id":16343,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/16332\/revisions\/16343"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=16332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=16332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=16332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}