Google requires developer verification for apps installed outside the Play Store

Key update

Google announced that certified Android devices will require "developer verification" for any app to be installable on the device — not just apps distributed through Google Play. The rollout starts with an early‑access program in October 2025, opens registration for all developers in March 2026, and begins enforcement in Brazil, Indonesia, Singapore, and Thailand in September 2026, with a global rollout continuing through 2027. The verification links a package name and signing key to a verified developer identity; it does not mean Google will review app content, but it does require personal/organizational identity data and registration of signing keys. (android-developers.googleblog.com)

Why it matters

This changes the practical threat model and developer workflows around sideloading and alternative app stores. For teams and CI/CD pipelines it means: ensure package names and signing keys are registered and that a verified developer identity exists for any app you want users to be able to install on certified devices; expect changes to automation if you currently rely on anonymous or hobbyist distribution. Smaller, hobbyist, or privacy‑conscious maintainers will need to evaluate the separate student/hobby account Google plans to offer, or consider forming a legal entity to protect personal contact details. For security teams, the change should reduce repeat‑offender malware by attaching accountability to installs; for open‑source and distribution‑policy advocates it raises legitimate concerns about developer anonymity and cross‑border enforcement. Practically, sign up for the early access program (Oct 2025) to test the new Android Developer Console, audit your signing key workflows, and update deployment docs so installs in the initially targeted markets aren’t blocked when enforcement begins. (android-developers.googleblog.com)

Source

• Source