The Android gate just got a lock: Google’s new rule could limit app access
Google has announced that starting in 2026, all app developers will need to verify their identities if they want their apps to stay available on Android. While this rule applies to all apps, regardless of where they were installed from, developers who already have their apps on the Google Play Store probably won’t notice much of a change.
Google says that if an app is already on the Play Store, the developer has most likely already provided all the information needed for verification. The store will simply use those existing details to automatically register the app.
The ones who will be impacted are developers who distribute their apps outside the Play Store — and the users who rely on those apps. This includes apps shared through third-party stores like APKPure, F-Droid, the Amazon Appstore, and others, as well as apps offered directly on developers’ websites as .APK files.
Google explained that by introducing this new verification procedure, it aims to “better protect users from repeat bad actors spreading malware and scams.” According to the company’s data, apps available on Google Play contain over 50 times less malware than those distributed outside the store.
What will verification look like and who will be affected?
Google says it’s building a new Android Developer Console specifically for developers who distribute their apps outside of the Play Store. For those interested in an early look, the company has published documentation outlining the initial steps of the new process.
Importantly, if a developer distributes apps both on Google Play and outside of Google Play, they won’t need to create a separate Android Developer Console account. A new option will be added to their existing Play Console account where they can register the apps they distribute outside of the Play Store. Developers who distribute apps exclusively outside of Google Play, however, will need to create a new account.
As part of the registration process, developers — whether individuals or organizations — will be required to submit a valid government-issued ID (for example, a passport or a driving license), along with a verified email address and phone number. These will need to be confirmed via a one-time code sent by Google. The system then guides the developer through linking their app’s package name to their verified identity by submitting the public SHA-256 fingerprint of their signing key, and uploading a signed APK containing a specific verification file. For most developers — especially those using a single key and unique package name — the process should be quick and straightforward, taking around 10 minutes to complete.
Notably, the actual contents of the app are not reviewed during this process. Google compares the verification step to an ID check at the airport — confirming who you are rather than scanning your bags with an X-ray machine.
Google also said that hobby developers and students will be exempt from the full verification requirements, which could otherwise be a hassle for them. Instead, they’ll be able to create a special type of account with fewer checks and no need to pay the usual $25 fee. All other developers will still need to go through the full verification process and pay the $25 fee to set up an account in the new console.
Uncertain benefits for users, certain headache for developers
The new policy has immediately drawn backlash from the developer community. One of the concerns was that the new rules would hardly stop bad actors who will find ways to game the new system as determined attackers have already demonstrated their ability to work around existing safeguards within Google’s own ecosystem.
It’s no secret that hundreds of malicious apps continue to slip through the cracks of the Google Play Store, despite the fact that developers there are already subject to identity verification and security checks. A recent investigation by Bitdefender uncovered a large-scale ad fraud and phishing campaign involving at least 331 malicious apps on Google Play, which collectively amassed over 60 million downloads. These apps bypassed Android 13’s security restrictions with ease, used advanced techniques to hide their presence, and even deployed phishing attacks to steal user credentials and credit card data — all while operating under the guise of legitimate utility apps.
Meanwhile, for legitimate developers — who far outnumber bad actors — the new system will likely just create more headaches. It’s still unclear exactly how burdensome the process will be, but the impact is expected to be noticeable. Smaller developers and those who rely on sideloading or third-party app stores instead of Google Play are likely to feel the difference most.
False sense of security and limited choice
From the user’s perspective, the changes may lead to some unintended and potentially far-reaching negative consequences. First and foremost, app selection, especially outside of Google Play, is likely to shrink. Legitimate indie developers who rely on sideloading or third-party app stores may choose to pull back rather than go through the added verification hurdles. Ironically, this could lead to a higher concentration of malicious apps in those spaces, as scammers have a stronger incentive to go through verification than small developers, who often make little or no money from their apps.
There’s also a risk that the new policy could create a false sense of security. If users start to assume that any app — even those installed from outside the Play Store — is safe simply because it comes from a verified developer, they may lower their guard. That could result in more careless downloading habits, with users skipping basic caution and installing apps without properly considering the risks.
What will happen to AdGuard for Android?
Those who use AdGuard ad blocker on Android know that the app cannot be found on Google Play. That’s because Google's policies prohibit full-fledged, network-level ad blockers. You can download the full version of AdGuard directly from our official website, and it’s also available on several third-party app stores.
For our part, we remain committed to keeping AdGuard accessible to everyone. And we can assure you that we’ll take all the necessary steps to comply with Google’s new policy and ensure the app stays available going forward.
