From September 2026, certified devices in Brazil, Indonesia, Singapore and Thailand will first block unverified apps, with global expansion through 2027 via the Play Integrity API.
Developers distributing outside Play must submit government ID, address and signing keys, while users face warnings and a 24-hour delay for advanced bypass options.
Google cites far higher malware risk in sideloaded apps, but critics say the policy threatens F-Droid, hobbyists and privacy-focused tools; 55 groups from 19 countries have urged reversal.
With Google's new ID mandate, is Android's era of anonymous open-source software development officially over?
Google's ID policy aims to stop malware, but does it create a bigger risk by centralizing all developer data?
Google’s 2026 Android Sideloading Policy: Mandatory Developer ID Verification to Combat 50x Higher Malware Risk
Overview
Starting in September 2026, Google will require all Android app developers distributing on certified devices via sideloading or third-party stores to complete identity verification, following testing phases in 2025 and early 2026. This policy responds to a severe security crisis where users face 50 times higher malware risk outside the Play Store, as malware authors shifted focus after Google introduced Play Store developer verification in 2023. To balance security and openness, Google offers a free limited distribution account for hobbyists and an advanced, multi-step bypass for users installing unverified apps, designed to disrupt scams. Despite these measures, the policy has sparked developer backlash over increased burdens and concerns about centralizing control.