Google's solution to the malware problem on Android has been revealed. It wants app developers to verify their identity, even if they distribute their apps outside the Google Play Store.
Here's a brief overview of how requirements stand currently. Developers who distribute their apps via the Google Play Store must accept the Play Console Requirements (Android Developer Console). They have to provide Google the following information:
- Legal name and address
- D-U-N-S number, if registering as an organization
- Contact email address and phone number
- Developer email address and phone number shown on Google Play where applicable
- Payment methods where applicable
- Google payment profile linked to your developer account
- An official government ID may also be required
App developers who distribute their apps via third-party sources like GitHub, F-Droid, etc., don't have to provide all this information to Google. Anyone with the knowledge and skill to develop apps can create and upload apps on the internet, anonymously.
That's what's changing. Google's new policy could make sideloading apps harder. The very first line on Google's announcement says, "You shouldn’t have to choose between open and secure." Android has always been open, giving users the freedom to do what they want. Google seems to be drifting away from this.
It says that malicious actors use anonymity to impersonate legitimate apps, and use their brand image to create convincing fake apps. Ah yes, the good old security card. That's straight out of Apple's playbook.
Google claims its recent analysis found over 50 times more malware from sideloaded apps than those available on Google Play. There, you said it yourself, even Google Play is prone to malware. What about Google Play Protect? Does it not scan apps for malware? It doesn't matter, the Mountain View company has decided that an additional layer of security is required, developer verification.
"Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices." Certified Android devices refers to any device that utilities Google Mobile Services including the Play Store, that's practically 99% of devices out there. So, any app, whose developer who has not verified their identity, will be prevented from being installed on Android devices.
Google is building a new Android Developer Console for apps that are distributed outside Google Play. A preview of it is available on a support page and a PDF.
Developers will need to provide their legal name, address, D-U-N-S number (for organizations), email address, phone number, a government ID. In other words, it is similar to the regular experience. In addition to these, app devs will need to register their app’s package names, which will be linked to the developer's identity. Finally, they will need to sign the APK with their private key and upload it to verify ownership.
Students and hobbyist developers will be able to create an account with fewer requirements, and without the $25 registration fee.
Google believes that by identifying developers, and blocking non-compliant ones, the risk of malware is greatly reduced. The company says that the new rules were welcomed with positive feedback from the Brazilian Federation of Banks (FEBRABAN), Indonesia's Ministry of Communications and Digital Affairs, and Thailand’s Ministry of Digital Economy and Society.
Sure, these new rules may block malicious apps, but this could come at a great cost. This could end up being a disaster for the privacy of developers. I wouldn't be surprised if a few app developers, who want to protect their privacy, ditch Android as a platform because of this. Perhaps that's what Google wants? To discourage devs and drive them away from third-party stores? F-Droid, LibreTube, NewPipe, Revanced, Syncthing-Fork, Cromite, are some examples of popular apps that are not distributed on the Play Store. Such developers will need to provide their real information to Google, otherwise their apps may be blacklisted. That could be viewed as anti-competitive behavior, and invite new antitrust investigations. Apple got hit by antitrust investigations for trying to influence third-party app markets in Europe, and deservedly so.
Apps could be hit with DMCAs if their developer information is available, this may affect apps like emulators. Other apps could be discontinued if devs choose not to register their details with Google.
Google will begin early access for verification in October 2025, and start opening verification for all developers in March 2026. The new rules will come into effect in September 2026 in Brazil, Indonesia, Singapore, and Thailand. It will become a global requirement in 2027 and later.
This is how it starts, what next? Will sideloading be blocked completely in the future? It may not be long before Android becomes a walled garden like iOS.
Thank you for being a Ghacks reader. The post Google wants Android app developers to verify their identity, this could affect sideloading apps appeared first on gHacks Technology News.
0 Commentaires