- enable developer options
- confirm that you are not tricked
- restart phone and re-authenticate
- wait one day
- confirm with biometrics that you know what you are doing
- decide if you only want unrestricted installs for 1 week or forever
- confirm that you accept the risks
- enjoy the few apps that still have developers motivated to develop for a user-base willing to put up with this
Google gives Android users a way to install unverified apps if they prove they really, really want to
Submitted 2 weeks ago by Beep@lemmus.org to technology@lemmy.world
https://android-developers.googleblog.com/2026/03/android-developer-verification.html
Comments
smeg@infosec.pub 2 weeks ago
Squizzy@lemmy.world 2 weeks ago
Is this for all android systems because it is a huge rug pull if so
AHemlocksLie@lemmy.zip 2 weeks ago
Pretty sure it’s a change to AOSP, the basis for every single Android ROM in existence.
FauxLiving@lemmy.world 2 weeks ago
I can understand this workflow being created to protect the legions of people who are tricked into installing spyware.
It doesn’t remotely affect me because I use GrapheneOS and if this is an issue for you then you’re probably someone who should look at installing GOS or Lineage.
I don’t think Google should be able to do this and it is likely part of a longer-term strategy to strangle any competition. At the same time, I can understand how this change will save a lot of grandparents from clicking a link in a text from their ‘grandchildren’ and installing spyware that’ll steal all of their bank information.
AHemlocksLie@lemmy.zip 2 weeks ago
GrapheneOS is built on AOSP, which is where the change is being made. Graphene and other custom ROMs will need to maintain a fork that cuts out the feature if they want to avoid. Google is also starting to close off Android to make that more difficult, so it’ll become a genuine project to maintain the fork well.
fallaciousBasis@lemmy.world 2 weeks ago
I mean… This is kind of why I never let people use my phone.
I have installations from various sources enabled… Like my browser, because I know what I’m doing. But I wouldn’t trust anyone as the process is currently effortless…
If someone is trying to install spyware on you (like a partner or parent.) this might offer some notification and prevention.
I don’t really see the big deal. You do it once, enable it forever, and wipe up those tears.
I think a better way would just to have maybe like a biometric/pin confirmation upon installation. Simple. Clean.
ThirdConsul@lemmy.zip 2 weeks ago
I can understand this workflow being created to protect the legions of people who are tricked into installing spyware.
Then you’re stupid, as most people install third party spyware through the Google Play store.
wonderingwanderer@sopuli.xyz 2 weeks ago
Combined with the news that they’re going to start requiring developer age verification even in the alternate app repositories…
flying_sheep@lemmy.ml 2 weeks ago
The biometrics part makes no sense, you can disable biometrics. You mean that you have to do a security confirmation however you’ve set it up.
Ganbat@lemmy.dbzer0.com 2 weeks ago
In addition to the advanced flow we’re building free, limited distribution accounts for students and hobbyists. This allows you to share apps with a small group (up to 20 devices) without needing to provide a government-issued ID or pay a registration fee.
Fuck you sideways, Google.
cyberpunk007@lemmy.ca 2 weeks ago
What? ID?
MrScottyTay@sh.itjust.works 2 weeks ago
They want developers to share their IDs to have their apps on the play store. The limited groups is so hobbyist developers can still share apps without having to jump through those hoops and so the users don’t need to go and enable sideloading, with the caveat that there’s a call on how many users you can send it to it looks like.
ada@piefed.blahaj.zone 2 weeks ago
And again, confirming that my current phone will be the last android device I own.
luthis@lemmy.nz 2 weeks ago
What will you use instead though?
ada@piefed.blahaj.zone 2 weeks ago
At this stage, I’m thinking one of the Motorola phones that will run Graphene out of the box.
tabular@lemmy.world 2 weeks ago
Linux phone, landline, or tin can and string.
Bullerfar@lemmy.world 2 weeks ago
Fairphone with /e/os or Jolla phone with sailfishos (waiting for the reviews of their new preordered flagship phone coming out this fall.)
eager_eagle@lemmy.world 2 weeks ago
shrek_is_love@lemmy.ml 2 weeks ago
They think this will take some of the heat off of them. Hopefully no one actually thinks this is a reasonable compromise. If I want to help an elderly family member install something on their phone during Thanksgiving dinner or a family reunion, I’m not gonna want to wait a day. Uncle Paul’s flying back to Florida tomorrow morning!
tomiant@piefed.social 2 weeks ago
Thanksgiving was four months ago. Uncle Paul lives with you now.
gary_d@lemmy.world 2 weeks ago
I imagine that the demand for linux phones will only grow.
QuandaleDingle@lemmy.world 2 weeks ago
THE PENGUINS MUST GROW
Yaky@slrpnk.net 2 weeks ago
Who are these smooth-talking scammers that can guide a regular-ass user to jump through hoops in settings to install a malicious app?
Maybe I should ask them how they do it, because I cannot convince my family to download and use Signal. You know, the legit app from the official app store.
goldman60@lemmy.world 2 weeks ago
People who can’t operate a computer will somehow become gods at following instructions if someone calls “from Microsoft”
d00ery@lemmy.world 2 weeks ago
Yes exactly this. I try and explain a computer thing to someone and get ignored. That same person talks to some sales rep in the electronics store and comes away “ohh they said I need to buy super expensive antivirus, that’ll solve my issue with my screen resolution being too low”. 🤦
smeenz@lemmy.nz 2 weeks ago
You mean from ‘The Microsoft’
sveltecider@lemmy.ca 2 weeks ago
Who are these smooth-talking scammers that can guide a regular-ass user to jump through hoops in settings to install a malicious app?
you would be extremely surprised. I think lemmy users fail to realize that not everyone has an IT job and is a sys admin.
favoredponcho@lemmy.zip 2 weeks ago
Exactly… there are a ton of older people falling for scams everyday. It’s all over the news.
Fedditor385@lemmy.world 2 weeks ago
Can we prevent this on the EU level? It really is just killing independent competition.
tired_n_bored@lemmy.world 2 weeks ago
Vote for the Pirates
reksas@sopuli.xyz 2 weeks ago
There are some places one can contact: competition-policy.ec.europa.eu/…/contact_en Email Digital Markets Act team: EC-DMA@ec.europa.eu Contact DMA team: …ec.europa.eu/contact-dma-team_en ↗ Contact your Member of the European Parliament directly: zeyus.com/contact-mep-representative ↗ Email Antitrust: COMP-GREFFE-ANTITRUST@ec.europa.eu competition-policy.ec.europa.eu/…/contact_en
I tried sending a message to one one, i forget which, and they essentially replied that they see nothing wrong with it, so more people need to complain.
kalapala@sopuli.xyz 2 weeks ago
Rental devices tend to be bad investments for the individuals.
MountainMan@lemmy.zip 2 weeks ago
They will just redefine what 24h means!
Don’t think for a second that these companies are working in good faith, and would change their evil plans due to some pushback from the rabble. They will just find ways to circumvent things. They have everyone by the nads, there are no competitors.
DeathByBigSad@sh.itjust.works 2 weeks ago
Hot Take: Honestly, this is not as bad as I thought it’d be…
(But still, it’s kinda a slipperly slope…)
morto@piefed.social 2 weeks ago
Their strategy:
- announce they will make extreme restrictions
- people get crazy over it and backlash
- announce that they’re listening to people and will soften the proposed restrictions
- people relax and accept the restrictions, while the media portray them as the good guys
spectrums_coherence@piefed.social 2 weeks ago
I feel if everything they said is true, then this is a reasonable solution. But from my many Youtube scammer video experience, like people have already mentioned, most scammers use standard remote access software, not some bespoke APK.
shortwavesurfer@lemmy.zip 2 weeks ago
This would not have affected me since I use Lineage OS without Google Play Services, but I am now more seriously than ever looking into using a Linux phone like Postmarket OS.
fluxx@mander.xyz 2 weeks ago
It would affect a lot of users, then it will indirectly affect you too, as a lot of devs won’t be as interested in maintaining their apps for so few users. But I hope it will at least give a bit of a push to developing postmarket os. I personally am sure going to get a second hand phone to install postmarketos too and hope I can contribute at least a little bit. I am prepared to suffer, at least a little bit for the right cause.
Squizzy@lemmy.world 2 weeks ago
- Camera
- Phone projection for cars
- Contactless pay/ wallet/pay alternative
Give me a device that can do these and I am in for ditching android. I only use browsers or off store apps that have linux support mainly anymore anyway.
fluxx@mander.xyz 2 weeks ago
At least the last one won’t happen, as banks would have to be on board. And banks are not on your side with this one.
TotalCourage007@lemmy.world 2 weeks ago
I’m just going to eradicate Google once SteamOS supports mobile devices. Fucking control freak douchebags.
MasterNerd@lemmy.zip 2 weeks ago
Bruh what? You’re gonna be waiting a long time for that. Better to use one of the pre-existing alternatives than wait for an OS that probably won’t ever exist, and probably won’t support your hardware if it ever does.
Kissaki@feddit.org 2 weeks ago
Why is it called developer mode if it’s supposedly an advanced flow? That has a bad implication.
heiligerbimbam@lemmy.wtf 2 weeks ago
I am already on Graphene OS… so, do what the fuck u want. I dont care.
xSikes@feddit.online 2 weeks ago
spoiler
_either going back to cell phones or we all go for Linux phones
achille225@jlai.lu 2 weeks ago
How will this be accepted by the EU? Will it comply to the regulations?
DeathByBigSad@sh.itjust.works 2 weeks ago
Because they technically still allow sideloading after 24 hours so I don’t think it violated EU laws
tidderuuf@lemmy.world 2 weeks ago
I hate how much more difficult my work or life has to be because some people shouldn’t have a smartphone.
COASTER1921@lemmy.ml 2 weeks ago
If this is really as straightforward as it sounds then I’d consider this the best case scenario. Google could have gone full Apple style lockdown or even just have implemented this flow on a per app basis, but needing to wait 24hr one time to enable unverified app installation isn’t a bad idea from a security perspective. It prevents a bad actor with temporary access from being able to do much while not getting in the way of us power users after the initial 24hr period.
My bigger problem is how Google is leveraging their monopoly to implement this single-handedly and only for themselves. If they had instead gone through AOSP this perhaps could have been implemented in a better way to allow other parties than just Google to be the verifier, and that 24hr waiting period could be applied to any verifier that is not the phone’s default. I’d argue this would be an equally reasonable security measure considering how many scams are out there preying on those who aren’t technologically savvy, yet would maintain transparency.
Eximius@lemmy.world 2 weeks ago
I’ve heard of security by obscurity being accepted, but never heard of security by obtuseness being accepted as valid.
tired_n_bored@lemmy.world 2 weeks ago
I hate the fact that Android is open source only on paper. You can’t compile your own flavor and install it.
fallaciousBasis@lemmy.world 2 weeks ago
You absolutely can… Custom ROMs do just that.
Your phone has to support it. It’s not a Google wall. Your phone maker determines how difficult it easy this is. Google pixels make this really easy to install Graphene on.
cerebralhawks@lemmy.dbzer0.com 2 weeks ago
I’m okay with this. Didn’t read the article — I read one on Ars Technica or somewhere wore.
iPhone guy, but say I get an Android phone that has this. Say the Pixel 11 Pro ships with it. So I do the thing, right when I get it… 24 hours after that I can install whatever? That’s fine. It’s only 24 hours and then it’s open as long as you want it to be. I don’t even think I need to sideload, but I’ll want the option. And it’s still better than the hoops we gotta jump through to sideload on iPhone.
TheTechnician27@lemmy.world 2 weeks ago
And it’s still better than the hoops we gotta jump through to sideload on iPhone.
The fact iOS is a joke doesn’t make this any better.
dev_null@lemmy.ml 2 weeks ago
No, you do this and then you can’t install anything, because no developer will choose this process as their publishing strategy.
Apps outside the Play Store will be dead.
cerebralhawks@lemmy.dbzer0.com 2 weeks ago
What apps outside of the Play Store, and why do I care about them? (Again, assuming I’m a new Pixel/Galaxy user.)
I remember when I bought Titanium Backup (anybody remember that?). You could buy it for X on the Play Store, or you could buy the unlocker from the developer. IIRC you pay a little bit less, but he gets 100% of the money, so you just cut Google out. I don’t recall exactly, but I did that.
I feel like anything you want to get that’s not on the Play Store, you’re gonna be savvy enough to install. Like FDroid. People who install FDroid tend to know what they’re doing. Or ad blockers. Or whatever torrent/Dark Web app that’s not in the Play Store. You’re gonna know how to do it, and if these hoops stop you from doing it, you can always get a geek to do it for you… or maybe you’d be better off
not doing itlearning how your device works first.
low@lemmy.today 2 weeks ago
I don’t care, this is a massive win
PerogiBoi@lemmy.ca 2 weeks ago
Found the Google employee.
low@lemmy.today 2 weeks ago
Bro did you want them to ban it? A one-time 24 hour wait is literally nothing compared to having 0 viable phones on the market where you can sideload.
Am I tripping? How is this not good news?
Kissaki@feddit.org 2 weeks ago
What specifically is a massive win?
low@lemmy.today 2 weeks ago
I bought an Android specifically because iPhone doesn’t allow sideloading. If Android bans sideloading, there’s no viable options left until Linux phone develops to a usable state.
The win is that they’re not banning sideloading, obviously. Personally I don’t gaf if I gotta wait 24 hours as long as you can do it.
signup@sh.itjust.works 2 weeks ago
that sideloading wasnt banned
rikviergever@lemmy.world 2 weeks ago
Not happening on /e/OS! You can join us here: e.foundation
underwater_ghouls77@lemmy.zip 2 weeks ago
What the fuck
Horsey@lemmy.world 2 weeks ago
If graphene had Liquid Glass I’d unironically switch to it. I can’t stand flat looking UI.
Hiro8811@lemmy.world 2 weeks ago
Are you really trading of an aesthetic feature for no privacy?
MonkderVierte@lemmy.zip 2 weeks ago
Secondly, just install a liquid glass theme if you’re funny.
darkevilmac@lemmy.zip 2 weeks ago
Okay but, installing an apk is not the kind of thing a scammer does. They’ll just install some standard off the shelf remote access software from the play store
This very much feels like they just needed to come up with a new justification for this process and opted for scammers for some reason. Even though they’re completely disconnected
cecilkorik@piefed.ca 2 weeks ago
It feels that way because that’s exactly what happened.
darkevilmac@lemmy.zip 2 weeks ago
I was hoping for at least something slightly believable, someone let Gemini write the justification I guess