I have long valued the Android operating system for its openness, particularly the ability to sideload applications outside of the Google Play store. Whether I am installing a PlayStation 2 emulator on a budget tablet or adding specialized benchmarking tools to a Google TV device, the process of downloading an APK file and bypasssing the official storefront has been a hallmark of the platform.
But this flexibility is set to put under significant restrictions as Google prepares to implement a new policy regarding how apps are distributed and installed outside the Play Store.
See more in my latest analysis video!
Under the new rules, developers who wish to offer apps for sideloading will be required to verify their identity with Google, providing legal names, addresses, and official government identification. For organizations, this includes providing a Dun’s number and a verified website. Even if an app is hosted on a private website rather than the Play Store, it must be registered with Google and signed with a private key. While there is a limited distribution tier for small-scale projects involving fewer than 20 devices, broader distribution will require a registration fee, currently set at approximately $25.
For the average user, the process of installing an app that hasn’t been registered through this process is becoming notably more complex. When attempting to sideload an unsigned application, a user must first confirm they are not being coached by a third party to disable security settings. This is followed by a mandatory device reboot and full reauthentication of their Google account to terminate any potential remote access or active calls. Most notably, a 24-hour waiting period is then triggered. Only after this day-long delay can the user return, verify their identity via biometrics or a PIN, and finally complete the installation.
These protections can be enabled temporarily for seven days or indefinitely on a per-device basis. Google maintains that these steps are necessary to combat rising instances of malware and social engineering, citing examples like banking fraud and malicious software disguised as wedding invitations. By adding these layers of friction, the company aims to protect vulnerable users who might be pressured by scammers into installing dangerous software. Yet, for those who understand the risks and simply want to maintain control over their hardware, these changes introduce a substantial inconvenience.
Opposition to this shift is already organizing under the “Keep Android Open” banner. This group argues that Google is retroactively locking down an operating system that was originally marketed as the open alternative to Apple’s closed ecosystem. A point of concern for many is that these changes are not being implemented through a standard Android OS update. Instead, they are being rolled out via Google Play Services. This means the new rules can be applied to billions of existing devices without a full firmware overhaul. The rollout is scheduled to begin this month in regions including Brazil, Indonesia, Singapore, and Thailand, eventually expanding globally.
The tension here lies between individual autonomy and collective security. While Google’s stated intent is to minimize liability and protect users from financial theft, the methods chosen may fundamentally alter the relationship between the user and their device. I would prefer to see these options managed at the account level, allowing experienced users to opt out of the 24-hour waiting period while keeping protections active for others. As these policies take hold, we may see a rise in interest for alternative, open-source mobile operating systems like GrapheneOS, which prioritize privacy and side-loading without Google’s oversight.