Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Google claims the move will make Android safer.
- Sideloading from unverified developers will involve a five-step process.
- There will also be a mandatory 24-hour cooling-off period.
For years, one of the clearest differences between Android and iOS has revolved around who has ultimate control over the hardware. Apple has always maintained that a closed ecosystem is the only way to keep users safe. Coincidentally, that closed ecosystem has also been good for Apple’s bottom line because it’s easy to grab a chunk of most digital sales on the platform. Buy a movie or pay for an app subscription, and Apple gets a commission of between 15% to 30%.
Google chose a different approach. Yes, Google has the Play Store, and yes, Google gets commission from app subscriptions and in-software add-ons. And while, for most users, the Google Play Store is where they get their apps, there are alternatives. And one of those alternatives is sideloading, the ability to install apps from unverified developers, bypassing Google’s Play Store.
Also: 3 unofficial Android Auto apps I installed to make my car screen more useful – and how
But Google is planning to make some big changes to sideloading, all in the name of security.
Last year, Google began to outline how this approach would work. And the company was eager to emphasize that sideloading wasn’t going away.
Also: This silent Android feature scans your photos for ‘sensitive content’ – how to uninstall it
But the more I read about Google’s plan to change how sideloading works, the more I feel that the process is essentially dead.
Don’t ever sideload anything onto your Android device? Then none of this affects you in any way whatsoever.
Why limit Android app sideloading?
According to Google, sideloading is a security risk. In fact, the company’s analysis found sideloading is responsible for “50 times more malware from internet-sideloaded sources than on apps available through Google Play.”
Also: I found a free Android app that makes deleting photos as easy as swiping left
That’s a pretty compelling statistic. I mean, we know from platforms like Windows (and Mac OS) that people will download and install all sorts of stuff onto their systems in exchange for the promise of some benefit (usually something free that would otherwise cost money).
But Google is also aware that some users need a way to sideload apps, so it’s developed a way to allow the practice to continue, while making it harder for bad guys to exploit the mechanism.
And this shift means some big changes.
What are the new changes?
Matthew Forsythe, Google’s director of product management for Android app safety, has outlined the new process that power users will need to navigate to bypass the security mechanisms and sideload apps from unverified developers.
The process to sideload apps from unverified developers.
Adrian Kingsley-Hughes/ZDNET
- Enable developer mode: Open the Settings app, scroll down to About Phone, and tap the build number seven times. You’ll be prompted to enter your passcode, after which, you’re in.
- Confirm that there’s no coaching going on: Is someone trying to get you to turn off your security? That’s a red flag, and Google wants to highlight that risk.
- Restart the phone and reauthenticate: This step acts as a firebreak if a third party is involved in sideloading.
- 24-hour cooling-off period: Google will enforce a 24-hour cooling-off period before allowing sideloads. The approach will also require biometric authentication (fingerprint or face unlock) or device PIN to continue.
- Install: Now the user is ready to install apps from unverified developers, and they’ll also have the option to enable the approach for seven days or allow it indefinitely.
This mechanism, which Google calls Advanced Flow, won’t be part of the open-source element of Android, but will instead form part of the closed-source, proprietary Google Play Services platform.
Also: How to clear your Android phone cache in 30 seconds
Sideloading apps from verified developers and developers with limited distribution assets won’t change (here, limited distribution is very limited, and restricted to only 20 devices). These changes would apply to developers who use an outlet, such as F-Droid, and who have nothing to do with the Play Store.
Google is planning to roll out these changes for “apps in select regions” starting September 2026.
The argument for sideloading
The biggest argument is freedom. It’s your hardware, and you should be able to do anything you want with it, up to and including installing junk and malware.
The best overview I’ve seen as to why sideloading is important, and that any changes to the way it works will ultimately be harmful, is on Reddit. The discussion covers everything from device freedom to developer privacy and safety to having the ability to adapt and fork open-source programs.
Reading between the lines
There’s no doubt that sideloading is a route for malware onto Android devices, and Google has the receipts for its “50 times more malware” claim. On the flip side, there’s no doubt that sideloading is a feature many Android users are passionate about.
It’s hard not to overlook how deliberately cumbersome the solution that Google has come up with here is, and I can’t see anyone outside of the more hardened power users bothering to jump through all the hoops. And given that this mechanism is baked into the proprietary bit of Android, Google could decide to change it or pull the plug on it entirely down the line.
It’s also important to keep in mind that while it’s easy to get focused on apps from unverified developers (especially legitimate or scammy tools), ultimately, encouraging developers to become verified can have repercussions, because Google has the power to block apps from any developer.
Also: Your Android phone is getting agentic powers with Gemini Intelligence
What kind of apps might Google want to pull the plug on in the future? It’s not hard to think of some. The tech giant might be put under pressure by companies to pull the plug on things such as emulators (a class of app that requires developer ID checks on the Play Store for some time now), or it might want to stop tools, such as ReVanced, an app that can, among other things, enable YouTube Premium features without a subscription. I can definitely see Google wanting to protect app revenues, and blocking these kinds of apps would help it do that.
Can anyone save sideloading?
Probably not.
The fuss kicked up so far might have elicited some concessions from Google, but I’m fairly sure the company had similar plans all along. Users could switch to iPhone, but that’s a tighter ecosystem. Those with compatible handsets could install custom operating systems, such as LineageOS and GrapheneOS, but this path is not for the faint of heart.
What about legislative pressures on Google from outside the US, from places such as the EU? After all, the European Commission — a body that is no fan of any of the big tech corporations — forced Apple to allow third-party app stores, sideloading, and alternative payment systems, killed off the Lightning port, and might ensure the iPhone has a user-replaceable battery.
Could the EU save sideloading as we know it? I wouldn’t hold my breath, and that’s because Google hasn’t blocked sideloading. Instead, the company has just put a whole bunch of hurdles in the way.
