SoylentNews

hubie [soylentnews.org] writes:

Google gives Android users a way to install unverified apps if they prove they really, really want to

Described as an attempt to balance openess with safety [theregister.com]:

It turns out you won't be limited to Google-verified apps an developers on Android after all. In the face of sustained community dissatisfaction with its developer verification requirement, Google has given Android users an out.

On Thursday, Google said it will offer Android users a way to continue installing software from unverified developers.

"We've heard from power users that they want to take educated risks to install software from unverified developers," wrote Matthew Forsythe, director of product management for Android App Safety, in a blog post [googleblog.com].

Power users, for lack of a better term, have been vocal in their opposition to Google's plan, which was announced last August. Starting in September 2026 [android.com], the Chocolate Factory required apps on certified Android devices to be linked to a verified developer account.

Although Google insisted it was important for security, many voices cried out against the verification process, which involves a $25 fee and providing Google with identity documentation. In February, 37 civil society groups, non-profit organizations, and tech companies published an open letter objecting to the requirement.

So, according to the blog post, Android users will still be able to install apps from unverified developers through a one-time process that has been designed to counter scenarios where the user is pressured to install malware.

"Because the consequences of these scams that use sophisticated social engineering tactics are so severe, we have carefully engineered the advanced flow to provide the critical time and space needed to break the cycle of coercion."

[...] The process is designed to create friction. Users must first enable developer mode in system settings. They then need to confirm that they're not being coerced. After that, they need to restart their phone and reauthenticate. And then they need to wait one day.

"There is a one-time, one-day wait and then you can confirm that this is really you who's making this change with our biometric authentication (fingerprint or face unlock) or device PIN," said Forsythe. "Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think."

Thereafter, you can install apps from unverified developers on the device you notionally own. Users will have the option to enable such apps for seven days or indefinitely.

Android developer verification: Balancing openness and choice with safety

Android proves you don't have to choose between an open ecosystem and a secure one [googleblog.com]:

Android is built on choice. That is why we've developed the advanced flow – an approach that allows power users to maintain the ability to sideload apps from unverified developers.

This flow is a one-time process for power users – but it was designed carefully to prevent those in the midst of a scam attempt from being coerced by high pressure tactics to install malicious software. In these scenarios, scammers exploit fear – using threats of financial ruin, legal trouble, or harm to a loved one – to create a sense of extreme urgency. They stay on the phone with victims, coaching them to bypass security warnings and disable security settings before the victim has a chance to think or seek help. According to a 2025 report [gasa.org] from the Global Anti-Scam Alliance [gasa.org] (GASA), 57% of surveyed adults experienced a scam in the past year, resulting in a global consumer loss of $442 billion. Because the consequences of these scams that use sophisticated social engineering tactics are so severe, we have carefully engineered the advanced flow to provide the critical time and space needed to break the cycle of coercion.

How the advanced flow works for users

1. Enable developer mode in system settings: Activating this is simple. This prevents accidental triggers or "one-tap" bypasses often used in high-pressure scams.
2. Confirm you aren't being coached: There is a quick check to make sure that no one is talking you into turning off your security. While power users know how to vet apps, scammers often pressure victims into disabling protections.
3. Restart your phone and reauthenticate: This cuts off any remote access or active phone calls a scammer might be using to watch what you're doing.
4. Come back after the protective waiting period and verify: There is a one-time, one-day wait and then you can confirm that this is really you who's making this change with our biometric authentication (fingerprint or face unlock) or device PIN. Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think.
5. Install apps: Once you confirm you understand the risks, you're all set to install apps from unverified developers, with the option of enabling for 7 days or indefinitely. For safety, you'll still see a warning that the app is from an unverified developer, but you can just tap "Install Anyway."

We know a "one size fits all" approach doesn't work for our diverse ecosystem. We want to ensure that identity verification isn't a barrier to entry, so we're providing different paths to fit your specific needs.

In addition to the advanced flow we're building free, limited distribution accounts for students and hobbyists. This allows you to share apps with a small group (up to 20 devices) without needing to provide a government-issued ID or pay a registration fee. This ensures Android remains an open platform for learning and experimentation while maintaining robust protections for the broader community.

Original Submission