Google is making it significantly more difficult, but not impossible, for Android users to sideload apps from outside the Google Play Store.
Its method: introducing a deliberate set of security hurdles designed to thwart scammers while preserving a degree of platform openness. The changes, detailed in a blog post and set to roll out starting in August 2026 with full enforcement in September, stem from Google's broader push to require developer verification for apps installed on certified Android devices.
Previously, users could simply download an APK file and install it after accepting a standard warning.
Now, apps from unverified developers will be hidden behind an "advanced flow" process that adds multiple layers of friction, including a mandatory 24-hour waiting period.
To enable sideloading of unverified apps, users must first turn on developer mode in system settings.
They are then prompted to confirm that the decision is voluntary and not the result of external coercion, such as a scammer on the phone urging them to disable protections under threat of financial loss, legal trouble, or harm to a loved one. The device then requires a restart and re-authentication to sever any potential remote access or ongoing calls.
After that, a full 24-hour delay kicks in, giving users time to reconsider.
Only once that period has passed can they finalize the change using biometric authentication or a device PIN.
The setting can be activated for seven days or left enabled indefinitely, after which users will still see (and must dismiss).
This is a clear warning when installing apps from unverified sources.
Google’s rationale centers on the evolving threat landscape.
Scammers have increasingly exploited the ease of sideloading by guiding victims through the installation of malicious apps that grant elevated privileges or disable Google Play Protect. The company cites data showing that a majority of adults globally encountered scams in 2025, often driven by manufactured urgency.
The waiting period and anti-coercion checks are explicitly engineered to break that momentum, forcing a cooling-off interval that makes real-time social engineering far less effective.
The policy builds on last year’s introduction of mandatory developer verification, which already required apps on certified devices to be registered by verified developers to improve traceability and faster blocking of bad actors.
Critics, including organizations such as the EFF, F-Droid, and various privacy-focused developers, have argued that verification creates unnecessary barriers, privacy risks, and friction for open-source and hobbyist projects. In response, Google is offering free “limited distribution” accounts that allow students, hobbyists, and small teams to share apps with up to 20 devices without paying fees or submitting government ID, providing a middle path for legitimate low-volume distribution.
For most everyday users, the practical effect will be that sideloading unverified APKs becomes far less straightforward, effectively nudging people toward the safer, verified ecosystem of the Play Store or apps from properly registered developers.
Power users and tinkerers who need broader access can still get there, but only after jumping through the new hoops. ADB installations remain exempt from the waiting period, offering developers and advanced users a familiar command-line workaround.
The move arrives amid ongoing antitrust scrutiny and Google’s 2025 settlement with Epic Games, which has pushed the company to demonstrate that it can balance security with user choice.
Google insists sideloading "is here to stay," but the company is clearly determined to make the riskier paths deliberately inconvenient.