Google has shed more light on how Android’s app verification rules will work, which will block sideloading apps from unverified developers.
Starting next year, Android will block the installation of apps from unverified developers, a policy that affects both Play Store and sideloaded apps.
The new system requires Android to check if a developer is verified, which in some cases will necessitate an active internet connection during installation.
Hobbyist developers can get a free account but will face strict distribution limits, requiring them to manually authorize each device installing their app.
Back in August, Google made an announcement that shocked Android enthusiasts and privacy advocates: Starting next year, Android will block the installation of apps from unverified developers. This applies not only to apps on the Play Store but also to apps distributed outside of it, sparking concern that Google wants to kill sideloading. After a few weeks of silence, Google finally addressed these concerns, insisting that sideloading is here to stay. The company also shared new details about how its developer verification requirements will be enforced, including that, in some cases, Android will require an active network connection to sideload apps.
Last month, we spotted evidence in the Android SDK suggesting developer verification could fail when a network connection is unavailable. We couldn’t confirm this behavior at the time, since Android’s developer verification requirements hadn’t yet gone into effect. This week, however, Google confirmed this will be the case. Alongside its blog post declaring that “sideloading is fundamental to Android,” Google also published a video explaining the reasoning behind the verification requirements and how it will be implemented next year. I pored over the video to learn as much as I could about these upcoming changes so you don’t have to.
Don’t want to miss the best from Android Authority?How Android will verify apps
When you try to install an Android app, the operating system already performs a number of checks before allowing the installation to go through. These checks ensure an app with the same application ID (i.e., package name) isn’t already installed, that it isn’t built for an extremely old version of the OS, and, most importantly, that it hasn’t been flagged as malware by Google Play Protect.
Google is now tacking on an additional step to this process. The company has built a hook into the install flow, requiring any app being installed for the first time to go through verification. At the time of installation, Android will communicate with a “trusted entity” on the device called the Android Developer Verifier. This new, preloaded system service determines if the app’s developer has been verified, if any issues were encountered during verification, and finally, what installation policy to enforce.
To determine if an app’s developer has been verified, the Android Developer Verifier service needs to check that the package and the key used to sign it have been submitted to Google. It’s impossible to maintain a comprehensive on-device database of such package and key combinations, especially since so many new Android apps pop up each week. This is why Google says your phone will need a network connection to verify apps, though only in the “worst-case scenario.” The company plans to have the Developer Verifier service maintain a cache of the most popular apps it has already verified so they can be installed without a network connection.
Furthermore, Google says it’s working on a solution for app stores to bypass additional network calls.
