Google's August 2025 announcement of developer verification has caught quite a bit of attention in the Android community. Why?
From September 2026, all apps installed on certified Android devices will have to come from a verified developer across several regions, with a global rollout the following year. Google frames the change as implementing an “ID check at the airport”, it will confirm developer details at install time in an attempt to avoid fraudulent copies of a legitimate app from being installed, and it will also make it much harder for bad actors to disappear and re-emerge under a new name.
As someone who spends a lot of time working at the intersection of product management and engineering across the enterprise ecosystem, here's my take on why this matters and what it means for consumers, developers and organisations.
According to Google's own analysis, malware from internet-sideloaded sources is more than 50 times more prevalent than malware from Google Play. Attackers exploit anonymity to impersonate brands, distribute fake apps and drain users' finances.
Potentially Harmful Applications (PHAs) are rife within the ecosystem, just last year alone Google blocked 2.36 million policy-violating applications, and banned more than 158,000 developer accounts from Google Play - that's just Google Play, and that's just one distribution method. Those apps don't simply vanish; they'll pop up on other 3rd party stores, via dodgy web ads, fraudulent websites.. the risk is very real.
So real, in fact, Kaspersky claims just over 50,000 malicious apps were detected in Q1 of this year running on Android devices according to this report.
👋 Oh hey, if you're an enterprise with EMM-enrolled Android devices using managed Google Play as your application distribution method, the Potentially Harmful Application (PHA) installation rate is only around 0.009%, per the 2024 Android Security Paper (page 32, ref: Google security services). Just in case the above figures were starting to brew some perceptions..
To tackle this, Google will require developers who distribute apps on certified devices - whether through Play, alternative stores or direct downloads - to register and verify their identity. The process involves two main steps: verifying the developer's identity and then registering apps using the package name and signing keys; student and hobbyist developers will have a separate portal with fewer requirements. Importantly, Google emphasises that developers remain free to sideload apps or use any store they prefer, preserving Android's open nature.
Our recent analysis found over 50 times more malware from internet-sideloaded sources than on apps available through Google Play.
Positive reaction has come from regulators and industry bodies. Brazil's banking federation, quoted in Google's announcement, describes the policy as a “significant advancement in protecting users and encouraging accountability,” while Indonesia and Thailand's digital ministries call it a "balanced and proactive measure". There is a genuine need for better deterrence against repeat offenders; if you've ever seen fraudulent banking apps trick unsuspecting users, you will appreciate why verifying developer identity matters.
Of course, Google Play itself isn't devoid of PHAs, according to a recent report from Zscaler (via techradar). Developer verification should, in theory, help here also, though to what extent is to be seen as developer verification in Play has been available for a while already.
The immediate community response has been mixed. Privacy-conscious developers worry that verification erodes the anonymity that has long been part of Android's culture, and raise practical questions about how the system will handle things like package-name collisions - concerns I haven't yet seen clearly answered. Others fear that requiring legal names, addresses and D-U-N-S numbers could deter hobbyists or small open-source projects from publishing, even outside of Play. These criticisms hold water to a point: security requirements should not become barriers to entry or stifle experimentation.
However, framing verification as an oppressive burden misses some nuance. Developers who distribute via Google Play have been subject to similar verification since 2023, so many already comply. For students and hobbyists, Google is offering a lighter-weight console. And crucially, local development isn't affected. You can still build, install and debug your app on a device using the Android Debug Bridge (ADB) and Android Studio, meaning hobby projects, corporate prototypes and test builds remain free from the new requirement.
Google has publicly emphasised that “sideloading is fundamental to Android, and it's not going anywhere,” assuring developers that this change simply adds traceability, not outright removal of sideloading capabilities.
Sideloading is fundamental to Android, and it's not going anywhere.
Of course, registering as a verified developer will take some time and potentially overhead. For large enterprises this could be a footnote (or it could be a nightmare, if existing challenges with Android Enterprise organisation ID management are anything to go by historically..); for smaller teams it will be an extra administrative task. But when weighed against the financial and/or reputational harm caused by fraudulent apps or stolen data, having to provide proof of identity feels like a reasonable ask. The requirement doesn't restrict where apps come from or force developers into Google Play, and it shouldn't hinder legitimate distribution by third-party app stores.
From a user perspective, developer verification has clear benefits. When a developer must prove who they are, it becomes significantly harder to spin up a new account after a scam app gets taken down. Users will know that every app on a certified device comes from someone traceable, and regulators will find it easier to investigate and prosecute fraud. That doesn't mean all malware will vanish - verification doesn't vet an app's code - but it does raise the bar for attackers.
Critics have argued that requiring verification might discourage open-source or independent developers. Yet, history suggests that anonymous distribution channels are where malware thrives. Google is not closing those channels; it is adding a basic accountability layer akin to "showing ID at the airport". You can still carry your own bags through security, but you must show that you are who you say you are. That's hardly draconian.
Oh, and just to point it out, this verification is on the developer, not the user. Commentary suggesting burdens on end-users wanting to install random internet APKs shouldn't be compared to ID verification are.. misguided. As a user, installing an unverified app requiring extra effort should be a red flag for the safety of the application in question, not an immediate drive to work around it.
While consumer benefits are clear, the enterprise reaction has been more sceptical. Corporate IT departments can rely heavily on APK deployment to distribute in-house applications, supply-chain tools and partner apps. Many organisations sideload apps using the custom DPCs, (and more recently now via the Android Management API (AMAPI) or their own app catalogue because Managed Google Play does not fit every use case or requirement. In community discussions, administrators worried that Google was inserting itself into their internal deployment: long-time advocate for enterprise freedom, Matt, called for “the same blanket exception that was applied to Google Play Protect” so that fully managed devices wouldn't need to verify their own in-house apps. I've seen first-hand the amount of APK sideloading that happens, particularly with smaller companies using AMAPI, because they cannot (or couldn't, as of a week before this article was published) distribute via an EMM platform. The notion of having to register every internal tool with Google felt intrusive and potentially expensive.
These concerns gained traction until Google clarified its position. In a follow-up post on the Android Enterprise community, the Google announced three key exemptions:
Extension for enterprise devices: Apps from Google Play installed on fully managed devices or within Work Profiles can continue to be installed without developer verification until September 2027, giving organisations an extra year to prepare.
DPC-installed app exemption: Applications installed via an Enterprise Mobility Management (EMM) Device Policy Controller (DPC) are exempt from verification indefinitely. This means that if an organisation installs an app through its EMM agent, it will not need to verify the developer.
Managed Google Play private apps: Private applications uploaded through Managed Google Play are also exempt indefinitely.
These concessions are significant because they preserve the autonomy of enterprise deployments. Administrators can continue to manage corporate devices and distribute bespoke apps without registering them with Google, as long as they use a DPC or Managed Google Play. The requirement only applies when users sideload apps directly onto certified devices outside of those channels.
With this clarification from the Android Enterprise team, I feel like the enterprise ecosystem is wholly unimpaired by the changes. It'll be a relief to many.
On balance, yes. The policy addresses a real problem - anonymous actors using sideloaded apps to commit fraud - while preserving Android's openness. Consumers stand to benefit from a more trustworthy ecosystem, and legitimate developers gain a stronger reputation. The identity-verification process may feel like an administrative overhead, but most developers distributing widely will already have processes in place for Play or other app stores. Hobbyists and local development remain unaffected; ADB sideloading still works.
For enterprises, the initial fear that Google would insert itself into corporate app management has been allayed by the DPC and Managed Play exemptions. Organisations should still pay attention to the long-term direction: by 2027, apps installed outside of DPC and Managed Play channels will require verification on managed devices. That's a gentle nudge towards using the official tools that provide better visibility and control.
As these things tend to be, it's a classic trade-off: an increase in friction for developers in exchange for a substantial reduction in harm to users. As with any new policy, implementation details need further clarity and ongoing discussion, but with the enterprise concessions now on the table, the pendulum swings decisively towards developer verification being a good thing for the Android ecosystem.
| Phase | Dates | Notes |
|---|---|---|
| Announcement | Aug 2025 | Google announces developer verification |
| Early access | Oct 2025 | Early access begins. Invitations will be sent out gradually. |
| Verification opens | Mar 2026 | Verification opens for all developers. |
| Enforcement begins | Sep 2026 | Requirements go into effect in Brazil, Indonesia, Singapore, and Thailand. At this point, any app installed on a certified Android device in these regions must be registered by a verified developer. |
| Global rollout | 2027 & beyond | Requirements roll out globally. |
| Enterprise extension | To Sep 2027 | Fully managed & Work Profile devices temporarily exempt from installing unverified developer applications via Google Play |
| DPC & private app exemption | Indefinite | Apps installed via EMM DPC or Managed Google Play never require verification |
Does this mean I need Google's permission to run my own apps?
No. Verification requires developers to confirm their identity and register package names, but Google is not reviewing app content for apps outside of Google Play. Local development, testing and internal distribution through above referenced channels are unaffected.
Is sideloading going away?
No. Google has explicitly stated that sideloading is "fundamental to Android, and it's not going anywhere." The change introduces accountability by requiring developer verification on certified devices, not a ban on sideloading. That doesn't mean you should install apps from unknown sources.
Can I still use ADB to install my own builds?
Yes. ADB installations for local development remain unaffected.
Does this affect enterprise app deployment?
Enterprises have exemptions. Apps installed through an EMM Device Policy Controller (DPC) or published as private apps in Managed Google Play are exempt indefinitely. Fully managed and Work Profile devices installing public apps from Google Play have an extension on permitting installation without developer verification until September 2027.
Is this just a revenue grab?
No. Developer verification uses the same $25 one-time registration fee already in place for Play Console accounts. Student and hobbyist developers will have access to lighter-weight options with no fees (as currently documented).
Does this change anything for non-certified devices?
No. The requirements only apply to certified Android devices with Google Play services. Non-certified devices are unaffected.
What do you mean an extra year to prepare for Play Store apps in enterprise?
It means eventually some of the applications an organisation relies on may not be possible to install on new devices from 2027 - exactly the same consideration for consumers in 2026. If an organisation needs an application, now is the time (yes, in 2025) to reach out to the developer(s) of the required apps to ensure they are aware of, and willing to comply with, these requirements.
Will installed applications be removed after the deadlines?
No. It will not be possible to push updates to the apps for developers without verification though, so that poses its own risks.
Note: All information reflects publicly available sources as of 2 September 2025 and may evolve as Google refines the programme.