I've always preferred Android phones to iOS since college, when I'd spend hours designing Zooper Widgets on a Galaxy S4 to create a good-looking setup limited only by my imagination, the app's features, and device battery life. Until very recently, the OS wasn't a pain point. It was only when I tried unlocking the bootloader on a Xiaomi phone around 2020 that I realized how cumbersome it was to email the company and wait. For power users, the ability to compile an open-source tool, host it on a personal server, and install it on a daily driver without asking a massive corporation for permission seems fundamental to their digital rights.

Unfortunately, starting in September this year with millions of certified Android devices in select regions, Google is rolling out a policy that will unilaterally block applications if the corresponding developer hasn't signed up directly with the search giant. Subsequently, this policy will roll out to all certified devices worldwide. For the average end user, the simple process of sideloading an "unverified" app from an indie dev will become just as cumbersome as rooting phones. Sideloading isn't going away just yet, but the two-tap process will become a prohibitively agonizing experience in about 90 days at the time of writing, complete with the 24-hour wait before you can proceed. This could be Google's Apple-ification of Android, strangulating power users under the guise of a security update.

Sideloading isn't dead, just buried alive

An advanced flow that deters, but still doesn't protect

If you are simply trying to sideload a verified developer's creations, the installation process remains relatively unchanged, maintaining the clever illusion of an open platform. Think, sideloading the Netflix APK in a country where the service or the app isn't natively available through the Play Store, or grabbing the latest WhatsApp beta from APKMirror. Large corporations like these are verified entities in Google's books.

The second tier is for small-scale devs who don't want to pay the titan's $25 fee and submit a government-issued ID. For them, Google shall graciously hand out "limited distribution accounts" where you can sideload the app on a whopping 20 unique devices only. This effectively kills grassroots beta testing and severely limits the reach of community-driven open-source projects that rely on word-of-mouth distribution.

If a developer does not verify themselves at all, an unregistered app will need what Google casually calls "Sideloading with… advanced flow". The steps are deliberately agonizing, designed to ensure the average curious person gives up halfway through. First, you must delve deep into System Settings and tap the software build number seven times to enable Developer Mode. Then, you navigate back to Settings -> System -> Developer Options to toggle a new Allow Unverified Packages switch.

You'll then see a scare screen seeking confirmation you aren't being coerced into this installation, followed by a prompt to enter your device unlock PIN or biometric password. After that, you must restart your device and wait for a mandatory, unskippable 24-hours rather reminiscent of YouTube's long ads. Once that passes, you must return to the unverified packages menu, scroll past additional scare screens, and finally choose to Allow temporarily for seven days or Allow indefinitely, reconfirming that you understand the severe risks of sideloading an app.

A closed ecosystem in 'User safety' garb

Not very different from Apple's walled garden anymore

Google's official blog post on the matter states this drastic move is all about "protecting the open environment," adding an "extra layer of security that deters bad actors" and making it significantly harder for them to spread harm across the ecosystem. I agree coercion is a common threat vector in organized phishing scams, where malicious actors keep victims on the phone to bypass security warnings. I sympathize with the victims of such crimes, but punishing the global user base by altering Android's DNA seems like a tremendous overcorrection that destroys collateral freedoms.

From afar, at least, it looks like the company is locking down the ecosystem for good. By baking this advanced flow entirely into proprietary Google Play Services instead of the open-source AAOS, Google retains the ability to withdraw the currently promised and graciously fear-mongering route to sideloading. It can tighten or kill this flow silently, without user consent or even an OS update. The changes might be well-intentioned on paper, yet we cannot help but liken the approach to Apple's notoriously closed ecosystem, which actively discourages external software. The security rationale seems flimsy because Google Play Protect already scans each installed app for malware locally on every certified device, irrespective of developer identity and the APK's origin.

To the trained eye, this aggressive gatekeeping also looks like a glaring admission of failure. Google has historically struggled to monitor the rampant scam apps and low-effort adware proliferating within the Play Store. Adding one additional Hail Mary step for outside apps feels profoundly hypocritical. Collecting IDs from independent devs adds a layer of corporate accountability, making the creators identifiable and potentially susceptible to arm-twisting. However, a government ID does not impact app code directly. Whistleblowers, journalists, dissidents, and hobbyists who rely on anonymity under authoritarian regimes could be forced off Android entirely.

Google says it already has the requisite credentials for devs distributing through Google Play. However, these new restrictions also apply to devs distributing apps exclusively outside Google Play, like those on F-Droid or GitHub. They will still need to register their apps through the Android Developer Console, agree to irrevocable terms, and upload evidence of private signing keys. Otherwise, Google can silently block the apps on every Android device worldwide. So, if you bought an Android phone for the open hardware platform where a Xiaomi phone can run a Google Camera app ported over from the Pixel, Google can now arbitrarily lock hardware you own and paid for. Worryingly, the average user may struggle to create meaningful backlash while Google justifies its actions under the broad umbrella of user safety.

The clock is ticking down fast

What is the larger play here?

Early access programs are already officially underway for these developer-side verification programs, with limited distribution accounts scheduled to launch globally for students and hobbyists very soon. Once enforced, it's difficult to ignore how this system would also benefit Google's recurring revenue from subscription-based business models like YouTube Premium and AI Pro memberships. Currently, technically proficient users can easily sideload creative solutions engineered by entities like the ReVanced project to get around Google's strict paywall and access the exact same premium features like ad-free playback and background play in YouTube, for example.

With these devs attracting the company's wrath for years, the upcoming changes could put them at the titan's mercy to sign off on their app identifiers. There's no doubt the tech giant's aggressive measures could force such projects to shut shop. Even without direct rivalry with Google services, if a talented developer refuses to surrender their government ID, pay a registration fee, and submit their signing keys to Google, their software becomes utterly useless on the world's most popular mobile operating system. This is an unprecedented power grab masquerading as a security patch.

As of writing this article, around 90 days remain before Google's sweeping changes come into force and alter the Android landscape forever. You can rally against this change through the KeepAndroidOpen initiative. On an open platform and a device you own, Google shouldn't dictate what you can run, and which apps should be easier to install than others. If it comes down to it, perhaps its finally time to switch to Linux on smartphones.