Google is changing how Android lets you install apps from outside the Play Store — and it’s doing it in a way that almost invites a shrug from power users and a stack of paperwork for everyone else.
At a high level: the company will not outlaw sideloading, but it will bury the ability behind an "advanced flow" that is deliberately inconvenient. The stated goal is to blunt social-engineering scams — the kind where someone on the phone or chat rushes you into turning off security protections and installing a malicious app. The mechanics of the new process make that rush a lot harder.
What the new process looks like
If you want to install an app from an unverified developer, you’ll now have to:
- Enable Developer Options in Android system settings.
- Find and tap the new "Allow Unverified Packages" toggle (it’s tucked away on purpose).
- Confirm a short on-screen checklist that asks you to affirm you aren’t being coerced or coached.
- Restart your device (this severs active calls or remote sessions a scammer might be using).
- Wait through a mandatory 24-hour security delay.
- Return to settings and confirm the change with a biometric or PIN. Only then can you opt to allow installs from unverified developers either temporarily (Google says seven days is an option) or indefinitely.
- Scammers can simply buy or steal verified developer accounts and keep scamming.
- Indie devs and small creators lose friction-free distribution; identity checks and even small fees change the calculus for hobby projects and privacy-focused apps.
- Third-party app stores and alternative distribution channels will be swept into the verification regime, shifting more control to Google over the broader Android ecosystem.
There will still be a warning when you install an app from an unverified developer, but you can dismiss it — after you’ve completed the whole rigmarole.
Google pairs the advanced flow with a new developer verification scheme. Independent developers who want to distribute apps without using Play will be asked to register, tie signing credentials to that identity and — for broader distribution — pay a fee and submit government ID. Hobbyists and students will be able to use a free "limited distribution" account that covers up to 20 devices without ID or a paid fee.
Why Google says this is necessary
The company frames this as a common-sense anti-scam move: scammers frequently create urgency, stay on the line, and walk victims through disabling protections. The restart + 24-hour pause + identity confirmation sequence is meant to interrupt that playbook and give a targeted user time to reconsider.
Google also argues the verification requirement increases accountability: if a verified developer distributes malware, the company can take action against an identified account — a bit like an ID check that doesn’t screen luggage but makes bad actors easier to trace.
The trade-offs are obvious
For security-minded people the approach may look sensible. The 24-hour cooling-off period alone will stop a lot of frantic abuse. But critics see the change as a subtle but significant narrowing of Android’s openness.
A few predictable worries:
The policy comes on the heels of Google’s settlement in its long antitrust fight over the Play Store and its wider adjustments to Play Store fees. The company’s broader push to both tighten security and reshape how apps move around Android is part of that same moment of change (and you can read more on how Google is reshaping the Play Store here) — changes that will ripple through developers and users alike. Google Play bets on buy-once games, Game Trials and a Wi‑Fi Sync
A new normal for power users
Practically speaking, dedicated users will still be able to sideload — but it won’t be as frictionless. That’s presumably the point. The override is deep enough that most casual users won’t accidentally discover it, and the restart+delay makes phone-based coercion harder.
Some device makers may add hardware or software privacy tools of their own; companies have been experimenting with screen privacy layers and other protections that change what a scammer can see or do remotely. Those efforts will matter more as distribution gets tighter on the OS level — and if you’re interested, some handset privacy features can be worth a look when you make purchasing choices. Samsung’s hardware privacy screen is one example of these trade-offs
What developers should know
Google plans to let developers sign up for early access to the verification process. The free limited-distribution option (20 devices) is intended for classroom projects, prototypes or close-knit beta circles. If you want broader distribution without Play you’ll likely need to pay the registration fee and ID-verify your account.
That’s a meaningful change for the tiny teams and single-author projects that powered much of Android’s early diversity. Some will migrate to Play with a verified account; others may end up on alternative platforms or host APKs behind gated installs — all outcomes that change how users discover software.
A slow squeeze or sensible protection?
There’s no single right answer. The advanced flow is clever at addressing a narrow, real problem: social-engineering installs. But it also hands Google more leverage over who can circulate software broadly on Android.
If you’re a tinkerer, you’ll survive; the steps are clumsy but doable. If you’re an indie developer who relied on anonymous distribution or simple APK hosting, this raises the bar. And for the general population, the change may mean fewer scams — or simply different scams.
Either way, Android’s old promise of frictionless installation is changing. Whether that’s a protective jacket or a slow tightening of control depends on how Google enforces verification, how easily bad actors game the system, and how much users and developers push back over the coming months.
