In August, Google announced that it will require developer verification to install Android apps, including through sideloading. That’s continuing, but Google is working on a solution for “experienced users.”
While the developer verification plans are proceeding (with early access starting today), Google shared that it’s “building a new advanced flow that allows experienced users to accept the risks of installing software that isn’t verified.” This is for developers and power users.
We are designing this flow specifically to resist coercion, ensuring that users aren’t tricked into bypassing these safety checks while under pressure from a scammer. It will also include clear warnings to ensure users fully understand the risks involved, but ultimately, it puts the choice in their hands.
Google is “gathering early feedback on the design of this feature now and will share more details in the coming months.”
The company today provided more details on why it thinks developer verification is important to protect Android users. Highlights include:
- “Technical safeguards are critical, but they cannot solve for every scenario where a user is manipulated. Scammers use high-pressure social engineering tactics to trick users into bypassing the very warnings designed to protect them.”
- “For example, a common attack we track in Southeast Asia illustrates this threat clearly. A scammer calls a victim claiming their bank account is compromised and uses fear and urgency to direct them to sideload a “verification app” to secure their funds, often coaching them to ignore standard security warnings. Once installed, this app — actually malware — intercepts the victim’s notifications. When the user logs into their real banking app, the malware captures their two-factor authentication codes, giving the scammer everything they need to drain the account.”
- “While we have advanced safeguards and protections to detect and take down bad apps, without verification, bad actors can spin up new harmful apps instantly. It becomes an endless game of whack-a-mole. “
Google says verification forces bad actors to use “real identity to distribute malware, making attacks significantly harder and more costly to scale.” It says that developer verification requirements in Google Play have been “effective.”
…we are now applying those lessons to the broader Android ecosystem to ensure there is a real, accountable identity behind the software you install.
Meanwhile, work on a “dedicated account type for students and hobbyists” continues. This will allow for app distribution to a “limited number of devices without going through the full verification requirements.”
FTC: We use income earning auto affiliate links. More.
