Android developer verification - The fox guarding the henhouse

Updated: July 10, 2026

You must have heard. Google is rolling out a new framework of security to the smartphone world, and it's called Android Developer Verification (ADV). The new process will supposedly and hopefully make Android safer, more secure, and give the confused, terrified normies a higher chance of success against scams and similar nonsense in the dreadful online jungle. While the idea sounds good, alas, like many a tech idea, especially those championed by big companies, it's not really going to be that beneficial to the end user.

What's this about? Well, Google is going to make it somewhat harder for just about anyone to register their software with the Play Store, and, at the same time, it's going to make it much harder to sideload apps onto Android. In other words, if you thought you can do whatever you like with your "open" Android phone, think again. And this where the tech world exploded in anger, and there's so much noise. I would like to add my share into the pandemonium of justified indignation. Follow me.

Teaser

Note: Image adapted from Wikimedia, licensed under CC BY-SA 4.0.

Actually, the idea isn't that bad

Put your disdain of the big tech aside for a moment. If you think about it, sans emotions, the concept of developer verification isn't such a horrendous idea. After all, if you allow people or companies to publish software in your store, and that software potentially touches personal data, even highly sensitive personal data, and you are in charge of the store, and your reputation and profit are at stake, then you do have the right to try to protect your assets - and your customers. That is not in dispute, nor should it be.

The problem is that, with the introduction of ADV, Google compounded multiple problems in one solution.

Sideloading isn't or shouldn't be related to ADV in any way

The main goal of any entity running a software store is to be successful. That means, said entities have every reason to try to bring in and keep in as many potential users as possible. You don't need to be a genius to understand how this could immediately create a conflict of interest when it comes to where and how software ought to be governed. In a nutshell, by restricting sideloading, Google decided that it is in charge of ALL of Android.

Sure, sideloading remains possible, but then, it's an entirely arbitrary choice, because the same way it is going to be restricted with the current changes, it can be restricted still more. Imagine a scenario where you sort of want to use an app that's not on the "approved" list, and oops, you can't anymore! Android is supposed to be this "open" platform, with Google only one of the many players. Indeed, here's a snippet of text from the linked FAQ above, and also a screenshot, because why not:

Sideloading is fundamental to Android, and it's not going anywhere. Our new developer identity requirements are designed to protect users and developers from bad actors, not to limit choice. We want to make sure that if you download an app from a developer, regardless of where you get it, it's actually from them. Verified developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer.

Dev Verification FAQ

If you read the description, it can be interpreted in many ways. Android remains open, yes. But then, it's (only) "verified developers" who will have the freedom to distribute their apps directly ... What. Why? So if a user wants to install an app whose developer didn't want to verify with Google, then what?

You can see why ADV suddenly looks weird.

Now, let me elaborate some more. First, the technical aspects, then the cynical outlook:

The Internet is the problem

It's time to get cynical. For 20 years, the common pleb was told to enjoy the Internet. Don't worry. Click, tap, buy. HTML email so you can have embedded BUY buttons. Enticing offers and shiny stuff so the lesser minds get easily swayed. Everything is quick and convenient and opaque. Smartphone apps are nothing more than webpages with some extras, but they hide the address bar, they hide the details that would make you pause and question the entire process.

For 20 years, the common ape was told to buy, buy, buy, and never doubt and question the status quo. If you remember how things were back then, then, one could say that the whole purpose of this smartphone experiment was to indoctrinate an entire generation into impulse buying. This is of course cynical paraphrasing, but then, look at the state of affairs. Shitty ads everywhere, inside apps. Let's not forget in-app purchases and micro-transactions and similar dross.

The digital stores are designed to mimic the regular ones, to give the person a sense of comfort and safety and opulence. Whenever you open a smartphone store, on any device, any platform, you will be greeted with phrases like "Discover" and "Shop" and "Enjoy".

And then, of course, the "bad guys" want a piece of the cake, too. Ads generate revenue? Well, hello! No way to distinguish between legitimate and fake apps because the information is hidden? Hello! Shopping can easily be done through the browser, sandboxed, with a distinct address bar, adblocker in place, and extra security. But no! Let's create a separate "app" for every pointless brand out there, so you shop for your shoes in one app, and for other shoes in another app, and for your shampoo in a third app, and so forth. It doesn't take a criminal mastermind to realize this process is ripe for the taking.

Now, the big guys have a massive conflict on their hands:

So what's the solution? Make it harder for the good honest guy to participate in this process! It's not just Google. Think about it. Who does DVD region restrictions inconvenience? The actual buyers. Who is harmed by DRM? The actual buyers. Who suffers from "digital licenses" when your books and movies that you "bought" are suddenly removed from your "ownership"? The legitimate buyers. Who suffers when tech companies impose shitty verifications ideas and such? The normal person who just wants to browse. Passkeys, who do they benefit? The companies that control the digital wallets and alike.

Now, ADV will make things more difficult for legitimate developers, mostly individuals and small companies that do not have sufficient resources to play the big game. That means that, effectively, the only people who will want to remain listed in the Play Store, are those driven by financial interests.

Paradoxically, this is exactly the source of the problem in the first place!

Take away the carrot ...

ADV is not a bad tool per se, but it misses a lot of crucial details:

You could say, wait a minute Dedo! Developers now need to provide their true identities and signing keys and blah blah. This just shows that you cannot design software in California and deploy it in the let's call it the "developing" world. What do you think will happen? That there won't be any corruption or fake lists of documents and who knows what else? That this won't be just a tiny hurdle for those intent on profit, and a massive knockout blow to honest people? And yes, honest people don't like being treated like criminals. Yet, this seems to be the preferred method of solving problems in the digital world. Cough, incoming "verification" nonsense and such.

Repeat after me, the Internet hyperactiveness design cannot be solved with technology. It can only be solved with LESS technology. You can't take an IQ85 person (which is like 90% of the planet), give them a shiny touch device with a big BUY button, and then expect them not to fall prey to scams and errors and crap. That's not how it works.

Competition, unhealthy competition

All this philosophy aside, on a pragmatic level, if people obtain their software outside of the Play Store, that means Google has no visibility into those transactions. No telemetry, no data, perhaps no profit. That puts said activity outside of their control. And big companies love their data and they love control. ADV isn't a bad thing now. Not today.

But the design is such that 5-10-15 years from now, it can and will transform into a tool that makes it harder and harder for everyone else to participate, to say nothing of the fact people should have full freedom to install whatever they like on THEIR phones. You don't believe me? Luckily, we have the history to help us:

It gets worse! Lots of apps in the Play Store have a hard Play services dependency. That means that apps coded this way will not run unless the underlying system provides a very specific set of software instructions, Google Play services, to be more precise. That means, if you want to use Android sans Google, you might not be able to do many things that should, technically, be possible without any limitations. In other words, you want to do your banking or whatnot, but you are FORCED to use very specific proprietary technology from specific private companies. Here, once more, the burden is mostly on those writing their software with Play services as a hard dependency. They don't need to, and if they do, that means they are either clueless or deliberately exclusionary. What other reason could there be?

Google is no saint. Over the years, they tried to implement many solutions that were designed to funnel Web traffic and usage toward their platforms. The phone users in the EU eventually got a wizard that lets them choose their browser or search engine, but for many, still today, you only get the system default options. So then, with so many examples and precedents, why should ADV be any different? If you're still skeptical, then the next-gen reCaptcha idea should be a sobering moment. Sure sure, alternatives exist. For now.

All that said, developer verification is a good idea

Now, let's get back to the technical problem at hand. I don't think Google have thought this one through. My evidence comes from the upcoming PIN guess hardening in Android 17. If the numbers shown in the linked article are correct, then, Android 17 will reduce the total number of incorrect PIN attempts from 1,800 to 20. The first number is ridiculous, of course. Most people use a 4-digit PIN, so 1,800 attempts covers a pretty significant part of the possibility space. But reducing it 100-fold means the whole idea wasn't carefully done to begin with. So why would ADV be any different? Also, when it comes to PIN, I hope the counter gets reset once the correct PIN is provided. Anyway.

A more secure Android concept

Let me be a deluded idealist for a second, and tell you of many possible ways how Android could be made more secure, overnight:

All of these methods would make the phone experience quieter, less error prone. Slightly less fun, too. But then, the world wasn't all dark ages before rich emails and shiny emojis. People were still able to get things done and buy stuff, even when the technology was a bit less instant. Speed is not anyone's friend in the digital world, and less and less so every day.

In my solutions list, I didn't write anything about the Play Store. I figured, Google still needs its vibrant ecosystem, right. That's fair, in a way. But the current state of affairs is simply wrong. You search for an app, and the first thing you see is an ad. And then, a hundred irrelevant items. And somehow, the normies are supposed to make an educated decision and not get scammed? You don't need sideloading to be confused.

Here's a set of screenshots from my endeavors with the Samsung A54, an Android phone. Look at the results. Look at the ads. Look at the relevance of displayed information. What am I supposed to do? And what is the ordinary user supposed to do? How can I know if something is trustworthy or not? Legitimate or not?

Store search 2 Store search 3

More ads Store 2

For example, when I searched for "google camera", why should I get any result that's not related to Google? Why should Facebook Lite or X or Microsoft Teams or some EA Sports game be shown in the list? Why is the first result for a VPN tool an ad from a competitor to the searched-for item? Why are the suggested apps shopping, food delivery and finance? I mean, we want to make sure people are diligent and disciplined and careful and deliberate about their use of software, right? But if you make people curious about these platforms, then they might actually go searching for things they never considered in the first place. How can a normie tell one finance app from another from another?

Perhaps this is the entire purpose of the developer verification. Make the Play Store catalog a bit saner. I doubt it, but let's be positive. Okay then, if so, there was no need to ruin a perfectly sensible approach to security with the sideloading story. That one simply makes Google look bad.

Conclusion

Google's desire to improve the security of the Android ecosystem is a good idea. Developer verification is also a reasonable approach. Alas, it's also the only thing Google can do, because it doesn't really have any control over the infrastructure upon which the billions of Android phones exist and communicate. At the same time, Google shouldn't be the legislative, executive and judiciary branch of this world. Eventually, the noble or good-intended solutions will get repurposed for totally unintended things, which will harm the end user. Who guards the guards, the legendary late Terry Pratchett wrote. The last few decades of the Internet offer plenty of data to support this. Almost exclusively, any technology designed to "protect" the end user ended up inconveniencing the end user. Sure, it's only the power users who grumble. But it doesn't change the reality.

Android needs improvement. The app side of things is wild beyond belief, and not in a good way. I have many suggestions on how to make things better, including the store, but those would not be profitable. They wouldn't "engage" the user. In fact, they would actively disengage them, so they are far less likely to make mistakes, and far less trusting of the ecosystem. The Internet is a dangerous place. Android Developer verification is an okay concept with bad execution, simply because it seems impossible to reconcile the conflicts of profit, competition and fairness or openness with the "strict" gatekeeping that Google proposes. The easiest way for Google to fix things is to simply make the Play Store safer for use, and let the rest of the platform be. But on a much deeper level, the whole things needs a hard reset. Back to 2010. Thank you for reading.

Cheers.