Google is moving forward with the most significant security change to the Android app ecosystem in years. Starting September 30, 2026, Android apps must be registered to a developer with a verified identity to be installed on certified Android devices in four initial markets: Brazil, Indonesia, Singapore, and Thailand. Global enforcement across all certified Android devices is planned for 2027.
The Android developer verification program, introduced last year, requires developers to link their apps to verified identities, removing the cover of anonymity that has long made Android a target for malware distributors. Google launched the app registration portal in March 2026, and more than 99% of Google Play apps have already been registered. The September deadline marks the shift from voluntary registration to mandatory enforcement.
Google is rolling out a new system service to Android devices beginning this month. The service will be used later this year to verify developer registration when users install or update apps. It works across multiple app stores, not just Google Play.
The enforcement timeline is phased:
- June 2026 – New system service rolls out to most Android devices
- July 2026 – Android Developer ID Status API launches globally; early access begins for the Android Developer Console API and limited distribution accounts
- August 2026 – Limited distribution accounts and the Developer Console API launch globally; a new advanced sideloading flow debuts with security checkpoints to resist coercion scams
- September 30, 2026 – Only apps from verified developers can be installed or updated on certified Android devices in the four initial countries
The limited distribution accounts are a notable addition. Designed for students, hobbyists, and learners, they allow sharing apps with up to 20 devices without requiring a government-issued ID or registration fee. This addresses an early criticism of the program that it would stifle hobbyist development.
Participating stores in the initial rollout include Google Play, HONOR App Market, OPPO App Market, Galaxy Store, Palm Store, V-Appstore, and GetApps. The program covers both the Google Play Store and third-party app stores on certified Android devices.
New APIs for developers
Two new APIs aim to reduce friction for developers managing multiple apps. The Android Developer ID Status API lets developers check whether a package name has already been registered. The Android Developer Console API enables registration and package name management directly through CI/CD pipelines and development environments.
Both APIs support OAuth delegation, allowing third-party platforms such as alternative app stores to perform registration on behalf of developers. Google begins rolling out the APIs over the next two months.
“Android Developer ID Status API will let you check if a package name has already been registered, and the Android Developer Console API will let you register and manage package names directly within your development environment,” Matthew Forsythe, Google’s Director of Product Management for Android App Safety, said in Google’s announcement.
The security rationale
Android developer verification is Google’s answer to a long-standing structural weakness. On iOS, every app developer is tied to a verified Apple developer account, creating a paper trail that discourages malicious activity. Android’s openness, while philosophically appealing, meant anyone could publish apps anonymously. Malware campaigns exploiting this anonymity have grown more sophisticated.
The verification program changes this by linking every app on certified Android devices to a real identity. For apps distributed through the new advanced flow for unverified developers, Google introduces security checkpoints designed to resist coercion scams while still allowing power users to sideload. Apps can still be installed through Android Debug Bridge (adb) without verification.
The September 30 deadline applies only to the initial four markets. Google has not announced specific dates for the remaining countries, only that global rollout will happen through 2027. In practice, developers who complete verification for September will not need to repeat the process for later markets.
What this means for the ecosystem
The move brings Android closer to Apple’s model of verified developer identity, but with important differences. Apple’s developer program costs $99 per year. Google’s verification program, by contrast, is free for standard developers and offers the limited distribution tier as a no-cost entry point for casual developers.
For users, the change should be largely invisible. Apps from verified developers install and update as before. The difference appears only when trying to install an app from an unregistered developer on a certified device: the system will block the installation unless the user goes through the advanced flow or uses adb.
For developers, the message is straightforward. Most Google Play developers are already registered. Those distributing through third-party stores or directly should complete registration before September to avoid disruptions in the initial markets.
Sources: Google sets timeline for Android developer verification enforcement (Help Net Security, June 19, 2026); Android developer verification timeline (Google Help, accessed June 20, 2026); Ars Technica (June 19, 2026)