Google adds 24‑hour sideload waits

Google is adding a one-time 24-hour wait before many Android users can sideload apps from unverified developers. (android-developers.googleblog.com) Google outlined the new “advanced flow” on March 19, 2026. Users who want to bypass developer verification must enable Developer mode, answer a coercion check, restart the phone, reauthenticate, and then wait one day before they can install the app. (android-developers.googleblog.com) The company said the user-side protections will first take effect on certified Android devices in Brazil, Indonesia, Singapore, and Thailand on September 30, 2026, before a broader global expansion in 2027. Google said apps from unregistered developers will still be installable through Android Debug Bridge, or ADB, and through the advanced flow. (android-developers.googleblog.com) Sideloading is Android’s practice of installing an app from outside the Google Play store, usually from a website, file manager, messaging app, or third-party repository. Google said more than 95 percent of installs from major malware families that abused sensitive permissions linked to financial fraud came from those internet-sideloading sources. (security.googleblog.com) Google said the one-day delay is meant to break scam scripts that rely on urgency and live coaching. In its March 19 post, the company said the restart and reauthentication steps are designed to cut off remote access sessions or phone calls that a scammer may be using to guide a victim through the install. (android-developers.googleblog.com) The change lands in the middle of a larger developer-verification push that Google first announced in August 2025. Under that plan, Android apps must be registered to verified developers to install on certified devices in the affected markets, including apps distributed outside Google Play. (android-developers.googleblog.com) That broader policy has also pulled third-party repositories into the debate. F-Droid’s homepage says “Google is changing the way you install apps on your device,” and links to a campaign site called Keep Android Open. (f-droid.org) One repository caught up in the backlash is IzzyOnDroid, an F-Droid-compatible catalog that says it distributes developer-signed APK files pulled from projects’ own repositories, applies additional screening, and checks whether some apps can be rebuilt reproducibly to match the distributed package. Its public index listed 1,361 apps when it was crawled this week. (izzyondroid.org, apt.izzysoft.de) Google has said developers can still choose where to distribute their apps, and that “most” users’ install experience will not change if apps are registered properly. The friction starts when a user tries to install an unregistered app on a certified device, which is exactly the path many open-source and hobbyist projects have relied on for years. (android-developers.googleblog.com) For Android power users, the practical change is simple: sideloading is still there, but the fast path is narrowing. By late 2026 in the first four countries, and more widely after that, installing an unverified app will mean planning a day ahead. (android-developers.googleblog.com)