Google has introduced a new security measure for Android devices that adds a mandatory 24-hour waiting period before users can install apps from unverified developers. This update, described as an “advanced flow” for sideloading, aims to strike a balance between maintaining Android’s open ecosystem and improving user safety against malware and scams.
This move builds on Google’s earlier initiative requiring developers to verify their identity before distributing apps on certified Android devices. By enforcing developer verification, Google intends to quickly identify malicious actors and reduce the spread of harmful applications. However, cybercriminals have continued to exploit sideloading practices, often tricking users into installing compromised apps that can disable Play Protect or gain elevated system privileges.
Therefore, Google has redesigned the sideloading process to add multiple layers of security. Under the new system, users must first enable developer mode and explicitly confirm that they are acting independently without external influence. Next, they must restart their device and re-authenticate, which helps prevent attackers from monitoring user actions in real time. After completing these steps, users must wait 24 hours before proceeding, followed by biometric or PIN verification to finalize the installation.
This delay plays a crucial role in preventing scams. Attackers often rely on urgency to manipulate victims, but the waiting period provides users with time to reassess suspicious requests or verify claims. “In that 24-hour period, we think it becomes much harder for attackers to persist their attack,” Android Ecosystem President, Sameer Samat, was quoted as saying to Ars Technica. “In that time, you can probably find out that your loved one isn’t really being held in jail or that your bank account isn’t really under attack.”
Despite these improvements, the policy has faced criticism from more than 50 developers and organizations, including F-Droid, Brave, The Electronic Frontier Foundation, Proton, The Tor Project, and Vivaldi. These groups argue that mandatory verification could create barriers for smaller developers and raise privacy concerns regarding how personal data is collected, stored, and potentially shared.
In response, Google has emphasized flexibility within its approach. The company plans to introduce “limited distribution accounts,” allowing hobbyists and students to share apps with up to 20 devices without requiring government-issued identification or registration fees. Additionally, the advanced sideloading flow will still enable experienced users to install apps from unverified sources once they acknowledge the risks.
“We know a ‘one size fits all’ approach doesn’t work for our diverse ecosystem,” Google said. “We want to ensure that identity verification isn’t a barrier to entry, so we’re providing different paths to fit your specific needs.”
Importantly, these changes will not apply to installations via Android Debug Bridge (ADB). Google plans to roll out the new sideloading process and limited distribution accounts in August 2026, ahead of the full enforcement of developer verification requirements.
At the same time, this announcement aligns with the emergence of new Android malware, including a threat known as Perseus, which targets users in regions like Turkey and Italy for device takeover and financial fraud. Consequently, Google’s latest update reflects its ongoing efforts to strengthen Android security while preserving user choice.
Recommended Cyber Technology News:
- eSentire Appoints James C. Foster as CEO to Lead Next Phase of AI-Driven Cybersecurity Growth
- Accenture Expands AI-Powered MxDR Capabilities with Microsoft to Boost Cyber Resilience
- Rapid7 Enhances Cloud Security in Exposure Command
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
