It’s no secret that Google really doesn’t like it that people are installing Android applications from any other source than the Play Store. Last year they proposed locking everyone into their official software repository by requiring all apps to be signed by verified developers, an identity which would be checked against a Google-maintained list. After a lot of pushback a so-called ‘advanced flow’ for installing even unsigned APKs would be implemented, and we now know how this process is supposed to work.
Instead of the old ‘allow installing from unknown sources’ toggle, you are now going to have to dig deep into the Developer Options, to tap the Allow Unverified Packages setting and confirm that nobody is forcing you to do this. This starts a ‘security delay’ of twenty-four hours after you restart the device, following which you can finally enable the setting either temporarily or permanently. It would seem these measures are in place to make it more difficult for a scammer to coerce a user into installing a malicious app — whether or not that’s a realistic concern or not, we’re not sure.
When we last covered this issue this ‘advanced flow’ had just been introduced as an appeasement option. In addition to this a limited free developer account was also pitched, which now turns out to allow for up to only 20 device installations. If you want more than this, you have to pay the $25 fee and provide your government ID.
Although Google’s public pitch is still that this is ‘for user security’, it will also mean that third-party app stores are swept up in these changes, with developers who publish on these stores subject to the same verification rules. This means that Android users will have to learn quickly how to enable this new option as it will be rolled out to more countries over the coming months.
The reality is that scammers will simply work around this issue by buying up already verified developer accounts. At the same time, it’ll cripple third-party app stores and indie developers who had intended to distribute their Android app by simply providing an APK download.
Here’s a better proposal: don’t provide what 20 years ago would be considered almost a supercomputer to illiterate people with IQ of a fruit fly. Scammers exist only because there are suckers who fall for their tactics.
It’s like i side load apps all the time
Never had a problem
That’s only a desktop and laptop pc problem
Never got malware or viruses on my phone
Never needed antivirus on my phone
It’s like Google made up na problem, and trying to fix something that wasn’t broken to begin with
Sometimes I want to side load an apk, because I want an older version that didn’t display ads and shit
Or some bugs in new version
Or software simply not available on PlayStore
Linux on mobile
Can the “Allow Unverified Packages” procedure be started anytime by anyone or only by a young unicorn during the second full moon after the Autumn equinox? Thank you.
We regret that we are unable to answer your question unless you sign in to verify your identity. As part of the verification, you will be required to quantify “young”. You must also agree to our Terms of Service, which are updated daily and twice on Sundays.
Thanks you for your attention to this matter.
No, only if witnessing a herd of wild elephants, on the 4th of July, during a hailstorm.
Don’t forget the baby zebra!
Quite a few of the streaming radio apps on the Play store are predatory, ongoing subscription fees to access open source, crowd sourced, station directories and ‘free’ streaming. The only app you need is RadioDroid. Perfect in function even if it is a little plain to the eye.. it’s not available on the Play Store.
The only version of Termux I trust is the github version. I’m addicted to bash scripting, wget, gallery-dl, yt-dlp, ffmpeg.. there’s so many little things you can do with Termux to polish Android’s rough corners.
I use Winlator for mass tagging in Android.. with the Windows version of mp3tag. Audio tagging in 2026, on Android, is still severely lacking.
Seems like I will be using my 2009 netbook more often from now on to do bash scripting, instead of terminal on android.
The process of putting software you want to run on a computing device already had a proper name, and that is simply “installing”. Please, everyone, stop calling it “sideloading”, that is the term they want us to use because it makes it sound like going around something we’re not supposed to.
Do you have trouble with the term “apps” as well?
App, short for “application” is a term that substituted the word “program”, don’t “they” want us to use that either? Who cares, it’s a word, nothing changes the system as it is is bad enough (people using high power computers with a tiny screen but no keyboard controlled by a silly/inaccurate touchy touch interface that in most cases is barely good enough to almost do what you need to do and then your finger slips and you move 2 pages back but there is no undo ability). Who cares.
Regarding the topic, it’s a bit annoying that “sideloading” could possibly eventually be outlawed. But people always find a way, it will become a bit harder to do, but impossible, I do not think so.
Really? It will never be impossible?
I’m still waiting for people to “find a way” to root a decently spec’d up to date phone.
It’s ironic but if you buy an unlocked Google Pixel, you can install other OSes including ones with root.
Yah….. I require the ability to do desktop mode wirelessly via Miracast though. Kind of keeps me tethered to Samsung.
No you can’t anymore. Read the news from last year. Contact GrapheneOS if you are sure about your claim, they’ll be surely interested.
Words have power, and it’s a slippery slope. Do you “sideload” “apps” on your desktop computer, or your laptop? When we can’t write or run FOSS on our own hardware without the manufacturer’s approval, is it really ours?
Apps is just a contraction of a word people have used for ages, as Application and Program has been interchangeable in common speak around computing pretty much since the beginning. But Sideloading is a rather newer invention that has been given so much spin to make the act installing anything without paying the Big G their cut sound wrong, dangerous, etc.
So yeah we really shouldn’t be normalising that the OS/device vendor really owns the device we paid for, unfortunately clearly and snappily expressing that you are giving Big G the middle finger and installing what you want on ‘your’ device anyway doesn’t really have its own description.
No. Application is a broader abstraction around the function or a task whereas a program is specifically the software on your computer. The word “app” is blurring the line between something you have and something you merely use.
For example, many phone apps are merely web pages displayed using the browser engine on your phone. They’re not programs in the sense that you’d have a binary that you can install and run natively on the device – it’s a web app pretending to be a local program.
Talking about in common vocabulary not technical minutia – both words have been used forever rather interchangeably to simply be something you run! If anything the difference in common language use is how polished and idiot proof the GUI is – if its all 8 million clicks of hand holding to do anything that is usually called an Application, if you can get everything done with one hotkey and a few clicks, but you might just need to learn how to use it its a Program…
Also while a Web App isn’t a local program as such, it is still the program you run to get the result, so from the regular user perspective there is no really difference. Plus in many cases it is still a local program (or at least can be) just using the browser engine to do all the work on the locally stored data.
Even on that account, if the app is essentially a website with the actual program on the server side, do you actually run it?
In that case I’d definitively agree you don’t, but also point out that to less technical user you clicked pretty icon and the screen did what you wanted – doesn’t matter very much where the program is being run to them as long as it does what they wanted
100% agree
if (Allow_Unverified_Packages == true) remaining_warranty_time=0;
?
Olaf
Not allowed in the EU i think. I can install any SW on my HW without losing the my warranty
Technically illega in the USA too but I’m sure Nintendo will coach them on how to circumvent the law.
You say that like Google doesn’t explicitly disclaim all warranties on their software already.
They may disclaim all they like, but in the EU the truth is that if you pay for something that does not work you are entitled to your money back (within a specified time limit).
Unfortunately I am no longer in the EU since Brexit.
Will disabling Play Services work around this?
If I can’t put a custom ROM on a phone, then at minimum I remove/disable all the Google apps, including Play Services, and install FOSS versions of everything from F-Droid. This is a day 1 procedure with any new phone I get.
Otherwise, when I get a new phone, I’m going to have to jump through that 24 hour hoop and not use it at all until the same time next day because “stupid people might do something stupid”. That’s insane.
Why don’t they make their operating system safe enough so it can handle unsigned apps?
how? Android malware nowadays uses legitimate features like screen recording, viewing screenshots, viewing the clipboard, acting as a keyboard, etc. It’s just a program. We want arbitrary access but we also want “safety”.
But only the Android that came with my phone, or via those safe OTA updates, is apparently safe enough to use banking app(lication)s…
Banking applications are just terminal application. All safety is obviously done on the server side. Rooting your phone will not magically allow you to add one million dollars to your account, even if you can now decompile & modify the application. The excuse of forbidding “sideloading” for protecting any eye dropping (or manipulating the keyboard for generating a transfer out of your account without you noticing), is just complete bullshit. If you want to prevent this security issue, you remove the feature from the OS or you gate these features (and only those) with some user authorization. As far as I know, there isn’t even a single word about “limiting” Accessibility features, like screenshoting or fake keyboard input in this announce.
The fix can be permissions attached to the current installed app version’s SHA-256 checksum. Yes it adds a bit of friction when permissions get reset after an update but it can be a good compromise.
That’s simply not possible on any operating system unless you’re willing to drastically limit the device features to which apps have access. You’re asking for the device to make the distinction between malicious apps and legitimate ones, and there are any number of legitimate reasons you’d want an app to be able to read or change sensitive data. The fact that this can’t be automated is the biggest reason (other than profit) that Apple has such a stranglehold on iOS apps.
It works on Windows and Linux just fine. It’s just an excuse.
The alternative is that every on-device API which could be abused triggers a pop-up which asks the user for permission.
This is a solution that works for the 1% of people who know what “API” stands for. It does not work for humanity as a whole. 99% of users just automatically approve any popup that is preventing them from using their app.
The Windows UAC popups are a history lesson in this. I think they have prevented virtually zero viruses in the past 20 years, while consuming roughly 1,000 human lifetimes of time.
Then get rid of 99% illiterate users. Tell them to f*ck off and use a mechanical typewriter. If they are dumb enough not to study computers, they are dumb enough not to be allowed life in the XXI century.
makes me icky to say it but .. I don’t really see this as a bad thing at all. Decent compromise.
.
A knowledgeable person can do whatever they want, after 24 hrs. Do it once, live your life.
.
If you don’t already have elderly parents, just wait. Of all the life stressors (career, family, money) not a lot of people talk about aging parents. 24 hour wait (to do something the vast majority of users will never need anyway, HaD readers excluded) to decrease the months long pain of identity theft in a parent/elderly person? I can live with that.
Yeah this is honestly better than I feared so long as google doesn’t change it every few months to be increasingly more restrictive/difficult (the whole crab in a pot of water with rising temperature analogy).
Sounds okay for me too. Unlocking Xiaomi phones is far worse.
I hate it. This will be as inconvenient to me as having to wait an extra day to set up my new phone (and come to think of it, what happens if you factory reset your device? Do you have to go to through this process again?). That said, I agree with everything in your comment. Ultimately this will be a positive thing, and it makes no sense to undermine the system to accommodate my niche use case.
The process Google describe provides no security but you surrender almost all your liberties. What does it prevent, honestly? How the introduced process prevents identity theft? (Does it even speak of identity?). It vaguely presents excuses for introducing a PITA, but there’s no gain, just pain.
Their example is about someone social engineering them to enable “allow installing from unknown source”, but a scammer is very unlikely to bother doing that (because the actual process is already so complex, you can’t rely on an elder to do it correctly). He’ll likely do the usual “I need to verify it’s you, I’ll send you a SMS, please read me the code in it so I can assert you’re the one I’ve called”.
This is just plain bullshit, as usual from Google.
The SMS code thing is a different scam, and needs a different solution.
I’ve had plenty of fake support people call up and try to walk me through installing malware. It’s a vector, and I know folks who’ve fallen for it; an elderly friend lost most of his savings. This may not 100% prevent it but certainly makes it much harder.
Yup. I know too many old folks who’ve been scammed to complain about this. Honestly I wish they’d lock it down further.
The vast majority of people have no good reason to sideload an app and do not understand what that means, and what the security implications are.
This is nothing more than the equivalent of malicious compliance in regards to preserving device owners freedom to install what they want without Google’s interference.
If you don’t want Google, make your own SoC, write your own RTOS and build your own smartphone. They created the thing and they have full rights to what they need to ensure they’re the profitors of user interaction.
I bought Google one of their “things”, paid with my own money. Their profit is already made and the “thing” now belongs to me. By rights I should be the only one that gets to decide what to do with it.
I bought a car with my own money. Can I install an explosive device camouflaged as baby seat in it? Sure:)
Wow all the terrible analogies coming out of the woodwork now. Installing any app I want on my own device is in no way “installing an explosive device camouflaged as a baby seat”. But keep licking that boot buddy!
And yes, good shot, 4306. Suppliers of automated woodworking lines are making the same sht as Google. Mostly usable hardware with shtty locked barely usable software.
Bad analogy, Google don’t make all phone SoCs nor build all smartphones (your requirements would then only stand for pixel phones). Bait and switch is still illegal no matter how a company may try to frame it. When I bought my phone it was advertised as having the capability to install my own apps from outside the play store, removal of this feature after purchase is reprehensible.
So when do we get a Linux phone that doesn’t have anemic hardware?
When enough people agree to pay ( beforehand ) a correct ( ie, not subsidized ) price for it. Then it can be developed , build and sent to buyers.
But you know, people choose cheap things first, and then complain about them later.
You say people choose cheap things first, I’d argue that isn’t true, as if it was nobody would use Windoze when so many vendors let you save money buying your computer without… The problem is a lack of attempts at a real Linux phone using a remotely modern chip when it is created.
Though with Valve using a Snapdragon in the Frame, and a few other laptops using them too the dream of a chip with enough manufacturer support that is modern chip with decent energy efficiency and performance to be a general and actually daily drivable Linux phone now is looking rather more promising. Assuming you can get together enough funding or the support of the chip supplier etc to start such a project.
Not to belittle the older attempts, that are no doubt going to be a useful stepping stone to build from, just they all had to compromise a bit too hard on the silicon at the time to be that compelling, and have only fallen further behind.
How do you explain Apple, then? Or any of the flagship Android phones that cost over a thousand dollars?
You could make a Linux phone in that price range. It’s just that it won’t be any good because it’s missing all the apps and general infrastructure as a software platform, and the hardware compatibility (options and performance) and the general UI/UX sucks. It would be again expecting a bunch of uncoordinated and to a great extent unpaid amateurs to come up with something finished and polished when none of them can even agree what they should be doing, without any industry backup or support from OEMs because nobody’s taking them seriously.
To make it work, you’d need to set up a company around the point and take control of the development with commercial intent and focus, which is what Google did with Android. You want Linux phones, you already have them.
Apple ? Same as buying Rolex, Nike, etc. Mostly people buy it because of the brand. Some people buy it expecting better quality. And if you agree with Apple´s rules, everything kind of “just works”.
As for the linux phone : you repeated what I wrote. If enough people want so much a linux phone that they will put their money where their words are, it can be built. But will cost probably more than that flaship Android phone you mention, due to production costs.
And then the people who bought it will complain that nobody develops programs for it . And with a very small user base, that will happen only if they pay for it.
And we are back to the “people want cheap things”. And I would add, “unless it is them doing the work. Then they want top money”. Or the complaints will be “Somebody should do this app”. The person who demands it always has some excuse ( “don´t have time” or “I´m not a programmer” ) . But they want other´s work to be had for free.
“I’m not a programmer” is not an excuse, it’s most often just the fact.
The problem with “Linux” is that it insists on being free – it won’t accept money for the point that it would constrain the developers to do what the customers want instead of what they themselves want to do with their toy of an operating system. They don’t really care about what the users want or need, or they have other ideas about what the users should want or need.
Android is the exact opposite: it’s free because it’s a trap to get independent software vendors into the ecosystem where they have to pay Google a tax to distribute their software on the platform.
It’s not the building that is the problem. It’s not an issue of making an individual phone as a product, but making the ecosystem to make Linux phones viable in general. Android did that, and it took a commercial interest like Google to put their foot down and say “This is how it’s going to work and here’s what you do to make it.”
It didn’t start from the consumers demanding a new system, because consumers never demand new stuff – they demand what they already know is good. For “Linux” phones to succceed, you need to introduce a controlled uniform system that targets consumer needs, instead of a wishy washy vague ideal like “open freedom” that doesn’t have any concrete meaning and doesn’t produce any tangible results.
Consumers can’t choose Linux because it doesn’t really mean anything for them – they don’t know where to put their money to get what they want, and the community is refusing to provide such a target because it would bind them into providing exactly that. The community wants the money but no the responsibility to do the work they’re paid for.
Really not true at all, most of the biggest distro ARE directly corporate funded and large portions of the work done for Linux as a whole is paid for and/or developed by those companies for their own and their clients needs! The OS really is not at a toy at all, which is kinda why it runs basically everything…
Brax3
https://www.braxtech.net/
Brax3
https://www.braxtech.net/
Try postmarketOS. Works for me.
Like the FLX1s ? Or the Jolla Phone ?
They don’t have the marketing power of Google. But they exists. And it’s usable (not perfect, good for most things with still some weird UX’s sometimes)
This is fine. The 24 hour wait is hilarious but will prevent a lot of scams by forcing people to sleep on it.
Except it probably won’t prevent most of them – as the Play store itself is frequently caught full of malware they don’t swiftly remove, and applications from that source, or signed apps in general that are malicious are still installable without any road block at all!
So the developer of the malware probably stole somebodies identity and paid their one time Google membership fee and will get years of scamming folks out of it before it is finally shut down. The users haven’t been protected from scammers very much at all, just infantilised and the issue confused enough to leave them quite possibly believing that anything the phone doesn’t ask you the ‘Are you sure’, ‘Are you really sure’ message is perfectly safe…
So great the Big G gets to charge a small tax on the malware vendors for themselves, and because its so small the scumbags won’t care, but the user really isn’t any safer.
I think you’re greatly exaggerating the prevalence of malware on the play store, especially in comparison to the web in general where every website you find “off the beaten path” is trying to get you to install some “videoplayer.exe” or “download accelerator”.
Plenty of it keeps being found – all you need is that little bit of social engineering to scare the user into doing what you want or to create the right advertising buzz around your new better than Discord or auto pass the age verification Discord app (etc) to distribute this malware.
Didn’t say that regular windoze stuff especially off the beaten path is better. However in this case if its on the play store, or signed by a Google approved developer it really isn’t “Off the beaten path” so that isn’t a fair comparison to that anyway. While on the other side in that wilderness the Antivirus scanners, even Microslop’s own windon’t defender are pretty good filters that will detect many of those variation on a theme from the known malware anyway – so it probably is better!
But the point is this ‘sideloading’ roadblock is not a valid, functional security measure at all while the bad actors CAN get their software signed for a friction free install, and they are doing so. It is nothing but making it obnoxious for anybody to distribute their software without paying Google for the privilege first.
I would prefer if you gave statistics.
To which part?
Though in either case its basically going to be a made up number – as really given how hard it is to verify and catch the crap all you can really do is point to the many many times anti-virus type programs have matched the fingerprint and thus caught a new vector and applications on the play store have proved malicious. Both of which you can find plenty of proof has happened, but what the true ratio of good to bad is can never be anything but a pretty wild extrapolation from far too little hard evidence.
It’s certainly a lot higher than on the Apple App Store, but at least Google are trying to manage it and there’s a hope of stuff being removed when it’s reported.
The common scam calls are trying to trick you by urgency, like “Someone stole your indentity and now they’re emptying your bank account, quick I need you to log in through this fake website and let us transfer your money to a ‘safe’ account!”
Unfortunately the 24 hour wait period doesn’t really help against those scams, because they’re not relying on you installing malware. They’re relying on you being stupid.
Exactly the point. This is just bullshit from Google to gain monopoly with a vague excuse of security.
24h is plenty long enough for an old person to call their kids or grandkids. It won’t stop all of it, but it’s going to make it a lot harder for scammers.
Honestly even 10 mins of being off the phone with the scammer is often all it takes for people to realise something isn’t right. But when the scammer is keeping them on the phone and under pressure they can’t think straight.
Aren’t all DJI apps essentially side loaded? As far as I can recall you have to I stall it by APK for the last 5/6 years. Wonder what they’ll do to get around this.
Anyone else getting fed up with big corporations dictating what we can and can’t do with expensive devices that we paid for and own? This crap from Google, and the way the MS can arbitrarily restart my PC without my consent? Just two examples. They can only get away with it because they basically hold a monopoly and for a lot of people the alternative just isn’t an option. I’ve tried Linux many many times since the mid 90s at least, and never once found it palatable enough for my needs.
It’s like a new language. It’s hard when you start and then it becomes your main language the more you are practicing it. Honestly, Linux (the desktops and applications) have improved a lot since the last 5 years. It installs without pain or hassle, it’s more customizable than windows or macos, and deliver much more. In my family, they are using a Linux computer without even realizing it’s Linux underneath. It just work. I’m having a hard time going back to Windows now.
Listen & repeat:
I will use LineageOS.
or GrapheneOS
IMHO, GrapheneOS is dead in the next 2 years or so. They are trying to survive with external manufacturer like Motorola because Google is closing their access. Motorola will likely deliver a phone or two with opened bootloader and some documentation, but after that, if they don’t get the sales to compensate the development efforts they’re invested, they’ll just end the deal and that’s it. The GrapheneOS market is peanuts to them.
I have a mini gameboy styled “powkiddy” handheld that runs a cut down customized version of Ubuntu linux (ark os) and cost about $70. Why can’t someone put together a device with a similar custom linux os in the shape of a phone and sell it at a reasonable price? This wouldn’t appeal to the average consumer but its a start.
How about the PinePhone ?
Well this won’t work for me. It asks me if anyone is forcing me to do this and I have to honestly say yes. Google is forcing me to do this because the apps in the Play store aren’t what I want.
This is why my next project is the “Half Brick” – simply a Pi Zero or similar in a power bank. That can run pretty much anything I want that Google doesn’t allow, just using the phone as a terminal and internet access point.
Personally, I find that I rarely install an apk from the web to a mobile device. I usually download it to a PC and then copy it via adb, and I assume that process is not going to be affected. I suppose it’s because I so much prefer using a device with a full-size keyboard and screen.
This video is perfect for this subject. A must see for HaD. Enshitification run rampant.
https://youtu.be/T4Upf_B9RLQ?si=d4ekmpob0_mHpjpt
That’s a good point, I very much assume that installing via adb isn’t affected here, as us Android devs would throw a fit over having to wait 24 hours before we could use that new or newly reset Android test device.
Of course, for the average user adb installation is quite beyond their expected PC skills, unless made easy with some kind of dumbed-down GUI app. Which wouldn’t be that hard either.
No. There are literally thousands of drunk driving deaths each year, shoud every car have an ignition interlock? There are even more driving deaths each year, should we just get rid of cars and use horses? But then what about falling off horses deaths? Better to just walk, hmmm but then there might be heart attacks…
See what your type of insane logic does? My examples are about actual physical safety too…
Damn, I guess inline comments are broken.
This is in response to Dan saying “this is a good thing and they should do more to ‘protect’ people”
About that….
https://www.kbb.com/car-news/explaining-the-car-kill-switch-controversy/
No. There are literally thousands of drunk driving deaths each year, shoud every car have an ignition interlock? There are even more driving deaths each year, should we just get rid of cars and use horses? But then what about falling off horses deaths? Better to just walk, hmmm but then there might be heart attacks…
See what your type of insane logic does? My examples are about actual physical safety too…
I’m always behind the curve on Android so it’ll probably be years before i’m exposed to this stupid process, and by then it will have been reinvented a few times by google and probably by vendors as wug*ell.
If i do decide to use the stock vendor-provided OS, and this is still the process, then i don’t think it’ll be any hassle at all for me because i already have a verified app store ID. It’s not a hard process to complete, to become verified. But i’ve already got a bunch of reasons, i want to try lineageos or similar on my next phone, before i even set it up. And anyways the 24 hour delay seems stupid but in practice is not gonna hurt me. The struggle for me is always considering the question, how much inconvenience am i willing to accept for the feature of ‘google pay’? gpay did actually save me a bit of hassle recently when i briefly lost my wallet shrug Maybe i’m just used to my phone kind of sucking.
But i just want to ridicule in the most derogatory way the assertion here — both in the article and comments — that there is doubt about someone being tricked into installing malware on android. Yes, it’s a genuine problem. Skepticism about the problem betrays a jaw-dropping level of ignorance.
Unfortunately, it’s also true that malware authors will not have any trouble jumping through these hoops one way or the other. Just as legit app developers won’t. If you want your app to be used by thousands of people, it’s simply a fact that you are going to have to accept a little inconvenience into your life and the verified developer process is not even in the top 10 of obnoxious hoops google has made me jump through over the years.
For eu residents, you can report this to
comp-market-information@ec.europa.eu
Or
Commission européenne – Direction générale de la concurrence
Greffe Antitrust
B-1049 Bruxelles (Belgique)
It will probably be more helpful than ranting about it in android forums