Google has announced a significant change to the Android ecosystem, mandating identity verification for all developers who wish to distribute apps on certified Android devices. This new requirement extends beyond the Google Play Store, affecting developers who distribute their software through third-party app marketplaces or direct sideloading. The company’s primary objective is to create a more secure and trustworthy environment by making it more difficult for malicious actors to anonymously distribute harmful applications and scams. This “crucial accountability,” as Google describes it, will prevent repeat offenders from simply creating new accounts after their harmful apps are taken down.
The new policy will be implemented in a phased approach. Invitations for early access to the developer verification process will begin to be sent out in October 2025, with the system opening up to all developers in March 2026. The new requirements will first go into effect in specific regions—Brazil, Indonesia, Singapore, and Thailand—starting in September 2026. After this initial rollout, Google plans to gradually expand the mandate to other parts of the world in 2027 and beyond. The company selected these initial regions due to their particular vulnerability to app-based scams and fraud.
For developers already using the Google Play Store, the impact of these changes will be minimal. They have likely already met the verification requirements through the existing Play Console process. However, for those who exclusively distribute apps outside of Google Play, a new Android Developer Console account will be introduced for them to verify their identity and register their apps’ package names and signing keys. Google has also recognized the unique needs of student and hobbyist developers and is working on a separate type of account for them with presumably less stringent requirements.
Google’s decision is a direct response to the prevalent issue of malicious apps that impersonate legitimate software and are often distributed via third-party channels. The company’s analysis has shown that sideloaded apps from the open internet are over 50 times more likely to contain malware than those available on the Google Play Store. By requiring developer verification, Google is adding a new layer of security to its existing measures, such as those that block potentially dangerous apps in certain markets, and its 2023 requirement for new organizational accounts to provide a D-U-N-S number.
While Google frames these changes as a necessary step to protect users and enhance the overall security of the Android platform, they also come at a time of increased scrutiny for the company. The move to tighten control over app distribution, particularly sideloading, occurs amid potential reforms to the Play Store following a lost antitrust lawsuit. The new developer verification mandate, while aimed at security, could also be seen as an effort to centralize control and make it more difficult for alternative app stores and developers to operate without being tied to a Google-verified identity, thus providing a consistent and common baseline of developer accountability across the entire Android ecosystem.
Reference:
