Source: Hacker News

Android “Advanced Flow” – Bypassing the New Developer‑Verification Sideloading Restrictions

Google is planning major changes for Android in 2026 to combat malware across the whole device ecosystem. Starting in September, the company will begin restricting application sideloading through its new developer verification program — but power users will still have a way to skip verification via the advanced flow.

“In that 24‑hour period, we think it becomes much harder for attackers to persist their attack,” – Sameer Samat, Android Ecosystem President

---

Background

• What’s changing?

  • Only apps from verified developers can be installed on Android phones.
  • Verification requires:
    1. Developer identification
    2. Upload of signing‑key copy
    3. A US $25 fee

• Why it matters

  • Unverified apps will be blocked unless the user enables the hidden advanced flow in Developer Options.
  • The flow is deliberately obscure and requires a 24‑hour waiting period before it becomes active.

Source: Ars Technica – Google will block sideloading of unverified Android apps starting next year

---

Enabling the Advanced Flow

Note: The actual steps take only a few seconds, but the 24‑hour countdown cannot be bypassed.

1. Enable Developer Options

   • Open Settings → About phone.
   • Tap the Build number seven times.

2. Open the Advanced Flow toggle

   • Go to Settings → System → Developer options.
   • Scroll down to Allow Unverified Packages.

3. Activate the bypass

   • Flip the toggle and confirm you are not being coerced.
   • Enter your device unlock code.

4. Restart your device

5. Wait 24 hours (the security delay).

6. Finalize the setting

   • Return to Allow Unverified Packages after the countdown.
   • Scroll past additional warnings and choose:
     • Allow temporarily (7 days) or
     • Allow indefinitely (no expiration).
   • Check the box confirming you understand the risks.

7. Install unverified apps

   • When you open an APK, tap Install anyway in the package manager.

---

What the UI Looks Like

You’ll have to wait 24 hours to bypass verification.

Credit: Google

---

After Enabling

• You can turn Developer Options off again if you prefer.
• Selecting “indefinitely” once is enough; you won’t need to repeat the process for future sideloads.

---

References

• Google’s announcement: Android Developer Verification – Google Blog
• Ars Technica coverage:
  • With developer verification, Google’s Apple envy threatens to dismantle Android’s open legacy – link

---

Prepared from publicly available sources; no confidential information is disclosed.

Choice vs. security

According to Samat, Google feels a responsibility to Android users worldwide, and things are different than they used to be with more than 3 billion active devices out there.

“For a lot of people in the world, their phone is their only computer, and it stores some of their most private information,” Samat said. “Over the years, we’ve evolved the platform to keep it open while also keeping it safe. And I want to emphasize, if the platform isn’t safe, people aren’t going to use it, and that’s a lose‑lose situation for everyone, including developers.”

---

What does that safety look like?

Google says it isn’t interested in the content of apps and won’t be checking them proactively when developers register. The verification process is only about identity verification—you should know when you’re installing an app that it isn’t an imposter and doesn’t come from a known purveyor of malware.

• If a verified developer distributes malware, they’re unlikely to remain verified.
• “Malware,” in the context of developer verification, is an application package that “causes harm to the user’s device or personal data that the user did not intend.”

So, a rootkit can be malware, but a rootkit you deliberately download to gain root access isn’t considered malware from Samat’s perspective. Likewise, an alternative YouTube client that bypasses Google’s ads and feature limits isn’t causing the kind of harm that would jeopardize verification.

Google says sideloading isn’t going away, but it is changing.
Credit: Google

---

Open questions & concerns

• Verification rollout: Google is proceeding cautiously, and some details remain spotty. Privacy advocates worry that verification could create a database that puts independent developers at risk of legal action. Samat says Google pushes back on improper judicial orders for user data and does not intend to maintain a permanent list of developer identities vulnerable to legal demands. We have asked for clarification on what data Google retains from the verification process and for how long.

• Developers in sanctioned nations: There is concern that developers living in countries subject to sanctions might be unable to verify because of the required fee. Google notes that the verification process may vary across countries and was not created specifically to bar developers in places like Cuba or Iran. We have requested details on how Google will handle these edge cases and will update if we learn more.

Rolling out in 2026 and beyond

Android users in most of the world don’t have to worry about developer verification yet, but that day is coming. In September, verification enforcement will begin in Brazil, Singapore, Indonesia, and Thailand. Impersonation and guided scams are more common in these regions, so Google is starting there before expanding verification globally next year. Google has stressed that the advanced flow will be available before the initial rollout in September.

Google stands by its assertion that users are 50 times more likely to get malware outside Google Play than inside it. A big part of the gap, Samat says, is Google’s decision in 2023 to begin verifying developer identities in the Play Store. This provided a framework for universal developer verification. While there are certainly reasons Google might like the control verification gives it, the Android team has felt real pressure from regulators in areas with malware issues to address platform security.

“In a lot of countries, there is chatter about if this isn’t safer, then there may need to be regulatory action to lock down more of this stuff,” Samat told Ars Technica. “I don’t think that it’s well understood that this is a real security concern in a number of countries.”

Google has already started delivering the verifier to devices around the world—it’s integrated with Android 16.1, which launched late in 2025. Eventually, the verifier and advanced flow will be on all currently supported Android devices. The UI will be consistent, with Google providing all the components and scare screens. So what you see here should be similar to what appears on your phone in a few months, regardless of who made it.

---

Ryan Whitwam is a senior technology reporter at Ars Technica, covering the ways Google, AI, and mobile technology continue to change the world. Over his 20‑year career, he’s written for Android Police, ExtremeTech, Wirecutter, NY Times, and more. He has reviewed more phones than most people will ever own. You can follow him on Bluesky, where you will see photos of his dozens of mechanical keyboards.

57 Comments

---