0xedbGoogle details new 24-hour process to sideload unverified Android apps
https://android-developers.googleblog.com/2026/03/android-de...
The part in the flow where you select between allowing app installs for 7 days or forever is a glimpse into the future. That toggle shows the thought process that's going on at Google.
I can bet that a few versions down the line, the "Not recommended" option of allowing installs indefinitely will become so not recommended that they'll remove it outright. Then shrink the 7 day window to 3 days or less. Or only give users one allowed attempt at installing an app, after which it's another 24 hour waiting period for you. Then ask the user to verify themselves as a developer if they want to install whatever they want. Whatever helps them turn people away from alternatives and shrink the odds of someone dislodging their monopoly, they will do. Anything to drive people to Google Play only.
Do you think regular desktop computer should be locked down like this too? Scammers can also tell people to run Windows programs. Should that be banned too?
I'm fine with an opt-in lock-down feature so people can do it for their parents/grandparents/children.
Also, just let people get used to it. People will get burned, then tell their friends and they will then know not to simply follow what a stranger guides them to do over the phone. Maybe they will actually have second thoughts about what personal data they enter on their phone and when and where and who it may be sent to.
Same as with emails telling you to buy gift cards at the gas station. Should the clerk tell people to come back tomorrow if they want to buy a gift card, just in case they are being "guided" by a Nigerian prince scammer?
Maybe? Let people form CAs, and if a CA gives out certs for malicious apps remove them. (Old apps continue to work, to publish new one get new cert.)
Yes, sad, but works.
People will learn about scams, but scammers are unfortunately a few steps ahead. (Lots of scammers, good techniques spread faster among them than among the general public.)
Keep in mind that Android has like a billion users who have never touched a Windows computer. (And unmanaged Windows was/is also a disaster zone.) Coming at this from a internet forum perspective is missing the scope of the problem.
> I'm fine with an opt-in lock-down feature
Me too, but it's really just some UI semantics whether this is 'opt-in' or 'opt-out'. Essentially it would be an option to set up the phone in "developer mode".
There is a big difference between opt-in and opt-out that isn't semantics. You can't slowly discourage, deprecate and delete the default the way you can an opt-in, because too many people keep using it.
Yeah, I predict that "developer mode" will eventually be a setup option in the trust store, so you'd have reset the phone to get to it.
With billions of Android users, there's only millions of people who need or really want this. So like 1%. My point is stop thinking about your mom's windows box and consider the scale.
This is based on a view of society that is incompatible with belief in democracy. If people overall can't be trusted to act responsibly and not follow complex sequences of steps dictated by scammers, what hope do they have to figure out who they should vote for? Liberty is responsibility. If you are permitted to cook your meal on your stove, you might burn yourself. It's an entirely different philosophy where the Big Brother or Dear Leader protects you from yourself and knows better what's good for you.
Do you have aging parents?
Keep in mind that Android is super popular everywhere democracy isn't.
I'm just spitballing something which would be completely trivial for any 'techie' (and wouldn't require jumping through 24 hr hoops), while improving the situation for the other 99%. Or Android becomes iOS and some minority of techies use some weirdo linux phone, whatever.
The scams are more sophisticated than getting gift cards to pay the IRS. A number saying that it’s from the bank will say they need to verify some account information.
I have had to actually verify my “investment profile” with a major broker in order to unfreeze some trades, in a high friction process. To the extent that a sideloaded app that looks exactly like the bank app has a low friction install, then people can get fooled and irrevocably lose savings.
If the lock-down is opt-in, almost nobody will opt in to it. If the lockdown is opt-out, then whether scams still happen depends on how much friction there is in opting out.
Freedom to install other unsigned sandboxed apps has a solution: Banks could use passkeys and other non-phishable methods. Sideloaded apps in Android can’t get to the bank app’s passkey.
Passkeys or hardware tokens get worries about the enshittification of the theoretical recovery process. Which, if that’s the case, I guess we should hope for/pay a better world, at least with banks and brokers. For them specifically, for account recovery allow either showing up in person or using ID checks.
Both for personal accounts and business accounts (i.e. with Business Email Compromise), I believe the onus should be on the bank to use non-phishable methods to show the human-readable payee from their app for irrevocable transfers.
Exactly. There's a sucker born every minute. I'm not saying people deserve to be taken advantage of. The reality is that there will always be people who can be lead off a cliff with minimal effort. There will always be people who believe that a guy with a thick Indian accent and broken English is a representative of Microsoft and that he can fix their computer in exchange for gift card codes. There comes a point where society sacrifices too much under the pretense of protecting the gullible. Prevent people from using technology at all and they'll go back to buying actual snake oil.