Answering Questions About Android Developer Verification
Key topics
Google's new developer verification policy for Android has sparked controversy among developers, with many expressing concerns about the impact on sideloading and app distribution. The discussion highlights the tension between security and user freedom.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
33s
Peak period
70
84-96h
Avg / period
12
Based on 120 loaded comments
Key moments
- 01Story posted
Sep 30, 2025 at 1:56 PM EDT
3 months ago
Step 01 - 02First comment
Sep 30, 2025 at 1:57 PM EDT
33s after posting
Step 02 - 03Peak activity
70 comments in 84-96h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 8, 2025 at 7:36 AM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
No, it's not.
If that goes away, might as well use apple's walled garden. There is no point for android to exist if freedom goes away.
People become willing to do things when you throw them out in the cold that they wouldn't do when you were still supplying the bread and circuses, and those people they don't like? It's because they're stubborn and they actually care and they know how to build things, isn't it?
Absolute bullshit Google. You have no right telling me what I can and cannot run on my own devices. Regardless of how I choose to install it.
I mean hey, at least we all know now that they aren't.
Sure the Play store was dominant when they started their own store. Yet companies tend to have excellent success if they control the OS on the device.
They could have offered no commission for 5 years, or some such.
Does anyone reading this know if the contract they had to sign with Google, to have the Play store pre-installed, reduced their ability to compete?
I mean look at the whole Epic thing. They could have offered them commission free use of the store, and used that to draw users in.
It's like they weren't trying.
The Galaxy store is more of an insurance policy than a real product they expect people to use.
This is the right time.
Chrome isn't enough. We need Android to get clawed away from Google too.
> Participating in developer verification will not affect your experience in Android Studio, the official IDE for Android app development. You will continue to be able to build and run an app even if your identity is not verified. Android Studio is unaffected because deployments performed with adb, which Android Studio uses behind the scenes to push builds to devices, is unaffected. You can continue to develop, debug, and test your app locally by deploying to both emulators and physical devices, just as you do now.
A few more years in this direction and Android can be as locked down as iPhone before Apple was forced to allow sideloading
There's nothing to stop them, and absolutely no reason to think they won't take away adb sideloading in the near future.
However other vendors that build upon AOSP, such as Samsung, can make their own decisions on this.
Pure AOSP devices are only some chinese knockoffs without play store. If your device needs play store/device integrity verification, there are lots are requirements by goog that needs to be met. Goog can add new requirement to disable installing unverified apps from adb.
What if F-Droid distributes an app Google or its US overlords deems dangerous or illegal? Will they block and/or revoke that signature, thus taking down F-Droid in its entirety?
and they will be removed by play protect.
In a healthy market, Chrome, Android, and YouTube would and should be their on entities.
Just wished there was a viable* FOSS Linux based mobile OS project out there that I could offer my time and energy to instead.
I have been running Graphene on a Pixel for a while now and I don't think Linux phones are a viable alternative. The vast majority of Android apps just work on Graphene, and there are millions of them. The UI experience is polished, everything just works with the exception of apps that require Google Play Integrity. And of course these projects aren't affected by Google's restrictions on sideloading.
But GrapheneOS lives by the mercy of Google. Pixel devices being reference devices makes it so that it's unlikely that Google will close them down completely.
However, as can be seen with this verification move, Google is willing to go very far to accomplish its aims. They already delayed delivery of Android 16 images, causing GrapheneOS some headaches.
Who is to say more isn't to come.
Seems like that will change soon.
But no, I think in the case when android is no option any more, I will seriously reconsider if we peaked on some enshitification with smartphones.
Maybe no smartphone or Linux phones will be more interesting for some time for me then.
The reaction to this change has truly changed my opinion that developer's opinions on a lot of subjects affecting the public's safety and security shouldn't be valued much (and yes, I realize I am on HN). If this is a bridge too far, then why should anyone listen to devs about "we can't backdoor cryptography" and things like chat control and more? You can't make every hill the hill you die on. I wouldn't even be against requiring a professional certification organization for developers before they're allowed to publish software to the masses. I would very much find it unpleasant, but we live in a society. You need a license to drive, to be a doctor, engineer and just about any profession where people's safety and well being is in jeopardy. Even real estate agents are licensed! and people all up in arms about a simple id verification.
This is just to address malicious code. How does the public know your code isn't full of vulnerabilities, that you're not selling their data to the highest bidder? How do they know that you have a good understanding of secure coding practices and knowledge of privacy laws? Let's talk about that instead, if you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification and passing a globally standardized exam (multiple choice and a practical coding exam!).
See, the big disconnect is that most developers see software as something similar to writing a book or selling a home-made item on etsy or ebay. But in reality, it's more like manufacturing a car or a gun, or opening a bank (if your app takes payments), or even opening a restaurant or a food truck. all these things require licensing. The malware and privacy loss people suffer is akin too food poisoning, car accidents,etc.. but since it all happens virtually and there is typically no physical harm, developers are dismissive of it. This isn't the 90's anymore, people's lives and livelihoods are all online, all the security measures you can take, using signal for chat, passkeys and password managers for creds,vpns,etc.. and you're still one legit looking app install away, one convincing phish away from your phone being compromised along with all your accounts, finances , job and your entire life as you recognize it from being harmed or destroyed.
I urge you all to temper passions with reason and practicality.
It's hard to see how you could get the necessary level of careful code review with just volunteer effort. But I suspect that most developers who don't want to register with Google are also unlikely to pay money to a third party to work around this.
Where "malicious" is defined as anything that Google or the American Empire doesn't agree with.
Is Google that organization? Because they themselves have decided that they are. I think what people are worried about is that Google is positioning itself to be the judge, jury, and executioner within such a licensing framework, not necessarily the licensing itself.
> This is just to address malicious code.
Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store, then maybe their proposed expansion of that security program to the entirety of the Android app ecosystem would carry some weight. But as it stands, their Play Store is full of user-hostile and often malicious apps[1].
> If you publish software for a private group of people, there should be no restrictions. If you're publishing it on a platform that would expose your software to billions of people, get a license after id verification
But that's exactly the opposite of what Google is doing, here, and why people are mad. Google isn't adding a new policy to their app distribution platform (the play store that grants exposure to billions of users), but rather they are forcing ID verification on any form of app distribution: If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
The crux, and what has people up in arms I think, is the overreach of Google's peoposed licensing policy to cover not only their own app distribution ecosystem, but all others targeting Android.
Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Google should focus their supposed concerns about regular user's safety on the user-hostile apps that they allow to exist in their own app store, rather than grasping for broader control that they'll "probably use at some point but only for good things like user security".
1: https://f-droid.org/en/2025/09/29/google-developer-registrat...
I agree, it isn't and shouldn't be, an industry self-regulating org is needed, like the CA/B forum for browsers. Maybe one day we can transition to that.
> Yes, and if Google had shown that it's capable of identifying and rejecting malicious code distributed via its own app store,
You're making the opposite point there, they can't do a good job at scanning their appstore, so requiring devs to id themselves is a better option, so that anyone publishing malicious code might risk real-world criminal penalties. That's a better deterrent than google scanning code.
> If you want any regular user to be able to install your code, no matter how small the audience, you'll need to first give your identity to Google, and obtain a (paid[1]?) license. So the restrictions do apply to "a private group of people" too.
This applies to google certified phones, and such phones at the time of certification are sold to the public, not to a private audience. Private audiences need to buy non-google-certified phones (which exist). The question of google certification is one you need to have with phone vendors not Google. Samsung can opt to avoid google certification just fine. They have every right to demand that a phone with their stamp on it can only run apps by devs they authenticated, this is the price of their seal of approval.
> Many technical users of Android consider it to be a general purpose computing platform, and they want to retain the freedom to install and run whatever software they trust.
Yeah, for example I have an x86 android VM, it won't be affected because it isn't google certified. If you came up with a custom tablet or laptop that runs android, you can load random apps on it just fine.
> Google should focus their supposed concerns about regular user's safety on the user-hostile apps..
They can do multiple things, but this helps with that as well. the dev making user hostile apps now has to use his real name and their reputation will now follow them forever.
We’ve got to a point where corporations are bigger than some countries and getting almost unlimited powers again.
- Purism runs ancient hardware, charges way too much and has questionable business ethics.
- Pine64 has equally bad hardware but reasonable prices. I don't like the Hong-Kong connection though. Not sure how the security patching environment is in practice.
The only option on the table as I see it is buying from the devil and installing GrapheneOS.
https://puri.sm/posts/the-danger-of-focusing-on-specs/
> charges way too much
https://news.ycombinator.com/item?id=21656355
> questionable business ethics
They retrospectively changed their return policy in order to not get bankrupt. AFAIK everything is find now. I'm a happy owner of Librem 5 btw.
Yes, it currently builds on top of Hallium. Anyone who thinks this should be a sticking point has their head in the sand; the device and effort is how you get a usable ecosystem rolling.
Microsoft does this for Windows apps if you don’t want scary warnings popping up everywhere. Apple doesn’t even let you sideload at all for iOS and for macOS they do the forced trash malware thing unless you run commands to allow the app in the terminal.
Am I missing how this is different from what we already have on most platforms? Is it because you can’t force it to install the apps? Is there not a developer mode that lets you install unsigned apps, or a way to root the device to install apps?
Apple is of course locked down, but that's not news. The anger is because Android was the better option on this dimension.
Apps can certainly detect if a phone is rooted and refuse to work, like with a custom ROM. It's up to the developer what they care about, but this is not unusual. There are ways to try to trick the check into passing, but it sounds like the kind of thing that might break on any update.
Goodbye NewPipe. Goodbye anything that doesn't align with Google's capitalist interest or American imperial interest.
Sure, it’s possible they could retroactively ban your app, but they could do that without signing too. Just ban com.anonymous.newpipe or whatever the package name is. The signing doesn’t really change this.
Most? The only platform that is like that is ios.
On linux, in any form, I can run what I want.
On a mac I can run what I want.
On windows I can run what I want.
Obviously on BSDs, Illumos, etc, I can run what I want.
On android up to now, I can run what I want.
The one and sole exception where I don't really own the device and can't run what I want it ios (therefore I don't own anything that uses ios). And now google wants to join that evil club.
I understand this is a controversial position and I’m not in favor of this change, I just want to understand where the real differences are in an impartial way.
Of course Linux is an exception but it is also not widely used by consumers like Android and the other OSes I listed are.
It is a bit more convoluted in macOS now but still something quick.
What Google is saying is that I need to install adb, search for a cable, connect it and _then_ run the cli command. It is very different, not even close.
I don't use windows but my kid has a gaming rig which has windows and I know we download various programs on that and use them, no problem.
The whole point of a personal computer is you install and run whatever you want on it.
I used to think a phone is just a phone so who cares, but nowadays the phone is the personal computer for a lot of people, so that same freedom is vitally important.
(The fact that all those platforms still have malware, as well as the officially sanctioned google store, should also inform you about how effective this measure is for its stated goal)
I know both are objectionable in their own way, but these two scenarios are quite different and I want to understand this better.
This makes no sense at all.
Thought: Maybe we can organise and collectively hire this PR team to get Google, other big tech, and our governments, to look bad... And get shit done that way... If 2025 is the year of the PR spin, surely the only counter-measure is counter-spin?
Edit: Hold on, I think I just re-invented the concept of a political party.
[1] https://en.wikipedia.org/wiki/File:User_Account_Control.png
It doesn't take much effort to enable Developer Options, plug into a laptop and run "adb install whatever.apk". It's kind of like the floppy disk era again, having to physically insert things into one's computer to install software. Not a big deal.
If adb installing is used to circumvent their signing programm, it has to go as well.
This is clearly a troll, confirmed by the green username.
Maybe that's something employers shouldn't do, but that doesn't change the fact that it's a reality and google is overstepping with this change.
That's what this really is about. If you want to distribute Android apps, be a professional or at least act like one. Take accountability for what you produce, under your real government name.
I lobbied everyone for years against Apple devices, switching people to Android to have a little bit more freedom. Now Google Android will be the same shit.
If people working on Google are hanging out around here, please know that your company really sucks now...
Aren’t the changes only for Google certified Android devices, AKA those that come with the play store?
But, the biggest trap that we can easily expect is that a lot of apps like banking apps will use Google API to check that they can only run on devices with the check for signatures. Same as the check for rooted devices.
It's disappointing that google has turned evil.
I loved how easy it waa to mod things in the beginning. All that is now gone.
2 more comments available on Hacker News