Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries
The Hacker NewsArchived Jun 22, 2026✓ Full text saved
Google has set September 30, 2026, as the day it begins enforcing Android developer verification in the first four countries, and the major device-maker app stores are in from the start. On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will block normal installs of apps whose developers have not registered an identity with Google, whether the app
Full text archived locally
✦ AI Summary· Claude Sonnet
Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries
Swati KhandelwalJun 22, 2026Mobile Security / Open Source
Google has set September 30, 2026, as the day it begins enforcing Android developer verification in the first four countries, and the major device-maker app stores are in from the start.
On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will block normal installs of apps whose developers have not registered an identity with Google, whether the app comes from Google Play or the stores run by Samsung, Xiaomi, OPPO, vivo, Honor, and Transsion.
Certified devices are the ones that ship with Google's services and Play Protect, which, by F-Droid's count, is more than 95 percent of Android devices outside China.
Most users will not notice, which is the point. Apps from verified developers keep installing as before. The friction lands on apps from developers Google has not verified, and is hardest on the independent and open-source channels, built on not needing Google's permission to ship.
Developers distributing through those stores need to verify and register before the deadline. Google says apps that miss it will be unavailable for new installation on certified devices in the four countries.
What flips on September 30
The check runs on the device. Google is pushing a new system service, the Android Developer Verifier, to phones on Android 8 and newer starting in June 2026, and it confirms an app is registered to a verified developer before the app installs.
After September 30, in the four launch markets, an unregistered app will not install through the normal path. It can still be installed over Android Debug Bridge (ADB) or through the advanced flow, the deliberately high-friction route Google built earlier this year. That route makes the user turn on developer mode, restart, wait 24 hours, and reauthenticate before sideloading an unverified app, and it goes global in August.
Registration opened to all developers in March, and Google says it already covers nearly all installs on Google Play and a large majority of those from outside it.
To register, a developer gives Google a legal name, address, and contact details, may have to upload a government ID, and proves ownership of each app by submitting an APK signed with their private key.
Google is also adding APIs for bulk registration and package-name checks, with OAuth delegation so a third-party store can run parts of the process for developers. The two interfaces, an Android Developer ID Status API and an Android Developer Console API, arrive in July.
A separate lane for free limited-distribution accounts enters early access in July and launches globally in August; it lets students and hobbyists share apps with up to 20 devices, with no government ID and no fee. The standard full developer account carries a one-time $25 fee.
Why the open-source camp is fighting it
Google's case is malware. It says sideloaded sources carry far more of it than Google Play, and that scams increasingly work by talking a victim into installing a malicious APK on the spot.
An identity check and a 24-hour wait are meant to break that. Google says it chose the four launch countries because they are hit hard by app scams, often from repeat offenders.
The pushback has been loud since the program was announced in August 2025. F-Droid, the free-software app repository, says the requirement would end its project, because it builds and signs apps from many pseudonymous contributors who will not hand Google a legal identity.
A Keep Android Open campaign backed by more than 70 organizations in 23 countries has asked Google to drop the ID checks for apps shipped outside Play. Google's concessions, the advanced flow, and the 20-device accounts answer the complaint that sideloading was being killed. They do not touch the deeper one: a single company would sit at the installation path for nearly every Android device outside China and decide who gets the smooth lane.
Three questions stay open before the global rollout in 2027: whether Google spells out an appeals process for developers it flags by mistake, what it keeps in the identity registry and for how long, and whether it offers any path for repositories like F-Droid that cannot meet the per-app ownership check without changing how they work.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Android, App Security, F-Droid, Google, Google Play, Malware, mobile security, Open Source, Sideloading
⚡ Top Stories This Week
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards
ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories
Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities
Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models
Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
Load More ▼
⭐ Featured Resources
Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale
Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown
[Watch Demo] See Which Security Gaps Attackers Could Exploit First