Philip
Catalin CimpanuAndroid will require a 24-hour wait before sideloading apps
https://android-developers.googleblog.com/2026/03/android-developer-verification.html
PeterA *one-time* delay when you seek to turn off the protection that stops the user from side-loading apps.
To be honest, given how many security-blind people use Android now, I can live with this.
Time was when Android users were all "power users", like Linux used to be. Those days are long gone.
A bigger issue is Google closing Android off from side-loading apps at all.
v@PeterLG @campuscodi if i thought it would stop at this I wouldnt mind much. given their starting position was banning sideloading completely and they only retreated to this after immense backlash, im worried
alxvstheworld@PeterLG @campuscodi you do realize that closing Android off and this nonsense is the same thing, right?
No, it's not.
The current concept stops a user turning off the side-loading protection and *immediately* loading and running an app from an unknown source β for example, the great-grandfather mentioned β when they don't understand the risks. I have zero problem with that.
Google's ultimate plan is to close off the ability to side-load completely β delayed due to pushback, for now β a funtion that is the biggest differentiator between Android and Apple.
wikiyu@PeterLG @campuscodi meanwhile Xiaomi: 30 days delay to unlock bootloader about google: Amateurs
GreenDotGuy@PeterLG @campuscodi I don't recall a time when using Android implied some sort of expert status; it's been a globally popular platform for general purpose smartphones for about two decades.
Also, this is about the principle of the thing. If I had to get permission from Mazda to change my own oil, I'd be furious.
I don't think sideloading presents a practical security risk. I don't see how this makes things safer. I do see how it moves a line of control from 'in my hands' to 'a distant megacorp'.
Tom Walker@campuscodi Is this responding to an actual sideloading coercion problem, or just an imagined one? Most common scams seem like they are already possible without the need to get the user to install a malicious app
bit101@tomw @campuscodi Nobody really believes this is about protecting anyone or anything other than Google's bottom line.
bjb 
Programmers may choose to use that time productively.
Chester Wisniewski π¨π¦@tomw @campuscodi I've been following Android malware and scams as a researcher since its inception and this is rarely a vector. There is far more danger in actual Play Store apps than through side loading by accident/trickery. Last big wave I can recall were fake Fortnight and Pokemon Go apps when they were not available on official markets (one of which is due to Google's own policies).
Dominic White@chetwisniewski @tomw @campuscodi GoldDigger malware has been rampant in South Africa and Southeast Asia for the last year and a half or more. This will make a big difference.
the elder sea@campuscodi
I can buy a gun in America in less time than this. Absolute insanity on both issues.
I can buy a gun in America in less time than this. Absolute insanity on both issues.
gullevek β’οΈ π―π΅@campuscodi First step. Next step is to cut it off. Your device is no longer your device
Nicolas Dufour@campuscodi Ah that's actually a good news. I thought fdroid was going to be impossible to use by the end of the year.
mjdxp@campuscodi this is a joke, right? please tell me it's a joke...
@campuscodi oh my fucking god, i hate google...
Aral Balkan@campuscodi Alt text: Machine-generated, human-verified:
An infographic titled "Advanced flow for power users to sideload apps from unverified developers" (with "sideload apps from unverified developers" in green text). It presents a four-step process, each step numbered in a green circle with a corresponding UI mockup and explanatory text below.
Step 1: "Confirm you aren't being coached"β Shows a dialog with two buttons: "Yes, someone is guiding me" and "No one is instructing me," plus a "Cancel" link. Below, the explanation reads: "This is a quick check to make sure that no one is coaching you into turning off your security. While power users know how to vet apps, scammers often pressure victims into disabling protections."
Step 2: "Restart your phone and reauthenticate" β Shows a dialog titled "Security delay required" with the text "Because this setting reduces your device's security, a delay is required to continue" and a button reading "Restart your device now to begin the security delay," plus a "Cancel" link. Below: "This cuts off any remote access or active phone calls a scammer might be using to watch what you're doing."
Step 3: "Come back after the 24-hour wait and verify" (with "24-hour wait" in green) β Shows a dialog titled "Security delay complete" with the text "You can now continue to change this setting," a green "Continue" button, and a "Cancel" link. Below: "There is a one-time, one-day wait and then you can confirm that this is really you who's making this change on your device via a biometric authentication (fingerprint or face unlock) or device PIN. Scammers rely on manufactured urgency, so this breaks their spell and gives you time to think."
Step 4: "Enable the settings and you're ready to install apps" (with "Enable the settings" in green) β Shows a settings screen with two radio options: "Turn on temporarily" ("Installing unregistered apps will be allowed for 7 days") and "Turn on indefinitely" ("Installing unregistered apps will be allowed indefinitely. Not recommended."), plus a "Confirmation" checkbox reading "I understand and accept the risks from unregistered apps, and wish to proceed." Below: "Once you confirm you understand the risks, you're all set to install unverified apps indefinitely. You'll still see a warning for safety, but you can just tap 'Install Anyway.'"
Maya@[email protected] Thats why i flashed LineageOS.
Fully de googled my setup.
Theres 4 ways to handle this news.
1. nuke google, literally.
2. de google your life entirely and figure out the rest.
3. infiltrate your countrys politics, somehow, and work to push from within
4. cry about it loudly on the internet with other people who are also crying loudly about it on the internet
Licho@campuscodi this is bullshit.
axleyjc@campuscodi
Hey #google : *Your* threat model is not *my" threat model. Anything like this needs to be configurable by the owner or MDM. Allow shorter, longer, or disabled.
Is there even any evidence that delaying 24 hours changes the outcome?
DeManiak πΏπ¦ π§-The Stinkening@campuscodi jeepers, this is some next level BS
nihilistic_capybaraWell. I am switching to postmarket as a daily driver.
@[email protected] friend. Are there any devices that work well as a daily driver?
Also do you know of anyone who got safetynet attestation working on waydroid?