Google has instituted a mandatory 24-hour waiting period for users attempting to install Android applications from unverified developers outside of its official Play Store. The policy change, announced on Thursday, is designed to curb the spread of malware and fraudulent software while maintaining the platform’s open nature.
The new security measure introduces what Google terms an “advanced flow” for the process of sideloading apps. When a user attempts to install an application package file (APK) from a web browser or file manager, the system will now check the developer’s verification status. If the developer is not verified by Google, the installation will be blocked for a full day.
Background and Developer Verification
This update builds upon a broader developer verification mandate that Google announced in 2023. That policy requires all individuals and organizations publishing Android apps, whether on the Play Store or elsewhere, to complete a verification process with the company. The goal is to establish a baseline of accountability for all software circulating on the Android ecosystem.
The verification process involves developers providing Google with accurate contact information and, for organizations, undergoing a Dun & Bradstreet registration check. Once verified, developers receive a unique profile that is meant to increase transparency for users.
Balancing Openness and Security
Android has historically distinguished itself from competitors by allowing users to install software from sources beyond a single, controlled marketplace. This openness, however, has frequently been exploited by malicious actors distributing harmful apps that steal data, display intrusive ads, or commit financial fraud.
Google’s new approach attempts to strike a balance. It does not eliminate sideloading, a feature valued by many advanced users and developers, but it introduces a significant friction point intended to disrupt impulsive installations of potentially dangerous software. The 24-hour delay is presented as a “cooling-off” period, allowing users time to reconsider the installation of an app from an unknown source.
Implementation and User Experience
When the new flow is triggered, users will see a clear on-screen explanation stating that the app’s developer is not verified and that installation is delayed for security reasons. A timer will display the remaining wait time. The system is designed to recognize repeated attempts to install the same APK file, so the clock will not reset if a user tries multiple times.
Apps from verified developers, as well as those installed directly from the Google Play Store, will not be subject to this waiting period. The change is being implemented through an update to Google Play Services, a core component that runs on most Android devices, ensuring wide and consistent rollout.
Industry and Security Context
The move occurs amid increasing global regulatory scrutiny of app store practices, particularly in the European Union under the Digital Markets Act (DMA). Regulations often compel platform owners to allow third-party app stores and sideloading. Google’s preemptive implementation of a security-centric sideloading flow may serve as a model for compliance in regulated markets.
Security researchers have long cited sideloading as a primary vector for mobile malware. By adding this hurdle, Google aims to reduce the success rate of social engineering attacks that trick users into immediately installing malicious apps from phishing websites or misleading advertisements.
Expected Developments and Next Steps
The 24-hour wait feature is currently in a phased global rollout. Google has indicated it will monitor the impact on malware rates and user feedback closely. Future adjustments to the policy or the duration of the waiting period are possible based on the collected data. The company is also expected to continue enhancing its developer verification system to further legitimize the external Android app ecosystem.
Source: GeekWire
