Google is implementing a new 24-hour waiting period for Android users who wish to install unverified applications (sideload) outside the Google Play Store, starting enforcement in select regions this September. This "advanced flow" aims to curb social engineering scams by introducing a mandatory delay after a user opts to bypass developer verification, ensuring users have time to reconsider high-pressure installation requests. While offering a permanent override option, the move balances user control with Google's push for enhanced platform security across billions of devices.
Currently, sideloading an application package (APK) involves a simple toggle for "unknown sources." The new process, however, is more involved and not readily discoverable. Users must navigate deep into developer settings, enable developer options by tapping the software build number seven times, and then locate "Allow Unverified Packages." After flipping a toggle and confirming they are not coerced, users must enter their device pin, restart, and then endure a full 24-hour waiting period before returning to the menu to select either temporary (seven-day) or indefinite allowance for unverified packages, per TechCrunch.
The core reason behind this 24-hour delay is to disrupt "high-pressure social engineering attacks." Sameer Samat, President of Android Ecosystem, explained that this delay makes it "much harder for attackers to persist their attack." This timeout gives victims crucial time to realize they are being scammed, for example, by verifying that a loved one is not truly in jail or a bank account is not under immediate threat.Google asserts it is not interested in the content of unverified applications or proactive checks during developer registration. The new verification program focuses on identity: ensuring users know the source of an app and that it doesn't come from known malware distributors. Malware, in this context, is defined as an application that "causes harm to the user’s device or personal data that the user did not intend." This distinction clarifies that intentionally downloaded rootkits or alternative YouTube clients that bypass ads are not considered malware for verification purposes.
The rollout of this verification system is proceeding cautiously, with initial enforcement beginning in September in Brazil, Singapore, Indonesia, and Thailand. These regions were selected due to higher rates of impersonation and guided scams. Google plans to expand verification globally next year, with the advanced flow becoming available before the initial rollout. Google maintains that users are 50 times more likely to encounter malware outside the Play Store than within it, a statistic they link partly to their 2023 decision to verify developer identities in the Play Store, which provided a framework for this universal developer verification.Google is introducing a 24-hour waiting period to combat social engineering scams that pressure users into immediately installing unverified apps from outside the Google Play Store. This delay gives users time to reconsider the installation and verify the legitimacy of the app and the request, disrupting attackers' ability to persist with their scams.
The new sideloading process, called "advanced flow," requires users to enable developer options, allow unverified packages, enter their device PIN, and restart their device. After completing these steps, a 24-hour waiting period begins before the user can actually install unverified apps, providing a window to prevent impulsive installations driven by fraud.
Google will begin enforcing the 24-hour delay for sideloading unverified Android apps in September, starting in select regions including Brazil, Singapore, Indonesia, and Thailand. This change is part of Google's effort to enhance platform security and protect users from malware and social engineering attacks.
Yes, users can choose either a temporary (seven-day) or indefinite allowance for installing unverified packages after the 24-hour waiting period. This option provides a permanent override, balancing user control with Google's push for enhanced platform security across billions of devices.
More insights on trending topics and technology
