Google is making identity verification mandatory in 2026 to distribute APKs, moving AOSP to 2 releases per year, and releasing Android 17 Beta with notable breaking changes. If you publish on the Play Store: nothing changes. If you distribute outside: this article concerns you.
Table of Contents
Context
Since its inception, Android was built on a fundamental principle: distribution freedom. Anyone could compile an APK, share it on GitHub or via email, and have it installed on any device. Facing iOS and its locked App Store, this was the key difference.
In 2026, this philosophy takes a serious hit.
Prerequisites to understand this article
- Have already published or attempted to publish an Android app
- Basic knowledge of the Play Store and sideloading
- These rules apply only to certified Android devices (with Google Mobile Services) — non-GMS Custom ROMs (/e/OS, LineageOS) are not affected
The Problem
Several quiet announcements, scattered between August 2025 and February 2026, paint a picture of an Android where Google controls the entire distribution chain — even outside its own store.
Put together, these changes mark a turning point. Here are the details.
The 4 Major Changes
1. Developer Verification — End of Anonymous Sideloading
Warning: Starting from September 2026, any Android app distributed outside the Play Store must be signed by a Google-verified developer.
This is officially announced by Google in the Android Developers Blog of August 25, 2025, signed by Suzanne Frey, VP Product Trust & Growth:
"Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices."
The official justification? Google claims to have detected 50x more malware from sideloaded sources than on the Play Store. The stated target: malicious actors who impersonate real developers to distribute convincing fake apps.
Google's metaphor: "Think of it like an ID check at the airport — confirming a traveler's identity but separate from the security screening of their bags." Google verifies who you are, not what your app contains nor where it comes from.
What verification actually requires (source: official Android Developer Console preview document):
| Account Type | Requirements |
|---|---|
| Personal | Government ID + verified phone number + $25 one-time fee |
| Organization | ID + phone + company legal registration documents + verified website + $25 |
| Student / Hobbyist | Streamlined process, no fee — details not yet published |
Important technical detail: You must register each package name of your app with its signing public key, proven by uploading an APK signed with the corresponding private key. You are not required to upload the final APK that will be distributed — just to prove that you control the signing key pair.
Official Timeline:
| Step | Date | Status |
|---|---|---|
| Early access (gradual invitations) | October 2025 | Past |
| Verification open to all devs | March 2026 | Now |
| Enforcement (Brazil, Indonesia, Singapore, Thailand) | September 2026 | Upcoming |
| Global rollout | 2027+ | Upcoming |
Best practice: You can sign up for early access now at goo.gle/android-verification-early-access. Early sign-ups = priority support + opportunity to give feedback on the process.
What it really means for you (depending on your situation):
You're a student or hobbyist?
Google has explicitly planned a separate streamlined account with no fees. Details are not yet published. Monitor developer.android.com/developer-verification.
You already distribute on the Play Store?
If you have an existing Play Console account (verification in place since 2023), you have very likely already met these requirements. Check the official guides. No new account needed.
You use /e/OS or LineageOS?
These devices are not Android certified (no Google Mobile Services). The new rules don't apply to them. However, some apps like WhatsApp or Revolut that use the Play Integrity API already refuse to run on these devices — and the developers of these apps have no obligation to change that.
The Developer Community Reaction
The Register gathered direct testimonials from developers, and the tone is unequivocal.
A Reddit developer summarizes the frustration:
"I can install an app onto a Windows computer from any source without verification by Microsoft. An Android device is a computer, like any other computer. It doesn't have to be this way. It's this way because a giant corporation controls it."
Another indie developer interviewed by The Register:
"Google is making it harder and harder to build apps. Every year they do something to make it harder — Chrome extensions, Docs add-ons… every single thing that runs in something of theirs gets more difficult to distribute. It used to be the case that if you were just creating a Chrome extension for yourself and a few colleagues, you could easily submit it as unlisted. But now, even private extensions have to go through verification which takes days, and even if you've changed one line of code can be arbitrarily rejected."
Pro tip: This pattern is documented across several Google products — Chrome Extensions, Workspace Add-ons, and now Android. It's an underlying trend, not an isolated incident.
2. AOSP Moves to 2 Releases Per Year
Google quietly announced through official documentation updates that the Android Open Source Project (AOSP) will receive only 2 source code drops per year: Q2 and Q4, compared to 4 previously.
This change is part of the transition to the "Trunk Stable" model: all features are developed on a single branch, hidden by feature flags (aconfig), then gradually activated.
Official recommendation to contributors: Google recommends moving from the aosp-main branch to android-latest-release.
Concrete impact by profile:
| Who | Impact | Detail |
|---|---|---|
| Play Store Devs | None | No change in workflow |
| OEMs (Samsung, Xiaomi) | Positive | More time to integrate → less fragmentation |
| Custom ROM (LineageOS, GrapheneOS) | High | 6 months wait between drops, complex patches to integrate |
| Small OEMs emerging markets | Medium | AOSP dependency without Google services — penalizing delays |
Common mistake: Believing monthly security patches stop. No — they continue. It's their integration into custom AOSP builds that becomes more complex.
The GrapheneOS case: In late 2025, they signaled that the quarterly September 2025 release still hadn't been pushed to AOSP weeks after its internal deployment. With 2 releases per year, these delays risk becoming structural.
What is the "Trunk Stable" model?
Trunk Stable is a development model where all features are continuously merged to the main branch (main), protected by feature flags (aconfig). Google can activate or deactivate a feature remotely.
Advantages:
- Fewer long-term branches to maintain
- More reliable continuous integration tests
- Fine control over feature activation by device/region
Disadvantages for open-source:
- Public code may contain undocumented "hidden" features
- Less visibility into Google's actual roadmap
3. Android 17 Beta 1 — Canary Replaces Developer Previews
In February 2026, Google launched the first Android 17 beta (API level 37, codename Cinnamon Bun).
The "Developer Preview" channel is replaced by a continuous Canary channel: devs have permanent access to the latest changes without waiting for specific windows.
Notable breaking changes:
Common mistake: Targeting API 37 without checking your app's Vulkan support — OpenGL ES is now routed via ANGLE.
| Change | Before | After |
|---|---|---|
| OpenGL ES | Direct | Via ANGLE (Vulkan required) |
| Large screen opt-out | Possible | Removed (sw > 600dp) |
| Custom notifications | Free size | Limited |
| ProfilingManager triggers | Basic |
COLD_START, OOM, KILL_EXCESSIVE_CPU
|
4. Target API Level and Mandatory Maintenance Under Penalty of Invisibility
Apps that don't target an API level within 2 years following the last major Android version will be blocked for new users on the Play Store.
Note: A 6-month extension can be requested, but it's not automatic. A stable unmaintained app disappears from search results for new devices — without clear notification.
Google claims: "developers will have the same freedom to distribute their apps directly to users through sideloading or to use any app store they prefer."
The community responds: this freedom existed without having to ask Google's permission. This is no longer the case.
Note: The timing is not coincidental. The rollout starts in 4 Southeast Asian countries — priority markets for mobile fraud, but also markets where antitrust regulatory pressure is lower than in Europe or the US. Europe and the US arrive in 2027, once Google has refined the system away from the most active regulators.
What Doesn't Change
Let's be honest: if you publish on the Play Store, you'll feel almost nothing.
Who is really affected?
The real losers:
- Devs who distribute outside Play Store without a Google account
- Open-source projects valuing contributor anonymity (F-Droid, Aurora)
- Custom ROM communities (LineageOS, GrapheneOS)
- Small OEMs in emerging markets
- Devs in sensitive geopolitical contexts (encrypted communication apps)
Not affected:
- Play Store devs already verified (verification already done since 2023)
- Apps on non-GMS devices (/e/OS, LineageOS)
- Devs in France until at least 2027
Key Points
| Don't Ignore | |
|---|---|
| Sideloading beta | Sign up now at goo.gle/android-verification-early-access |
| Signing keys | Register your package name + public key before September 2026 |
| AOSP contributors | Migrate from aosp-main to android-latest-release
|
| Target API | Any app unmaintained for 2 years becomes invisible to new users |
| Android 17 | Test Vulkan/ANGLE support now on the Canary channel |
References
- Google Android Developers Blog — A new layer of security for certified Android devices — Suzanne Frey, VP Product Trust & Growth, August 25, 2025
- The Register — Google kneecaps indie Android devs, forces them to register — Tim Anderson, August 26, 2025
- WebProNews — Google Cuts Android AOSP Releases to Biannual Starting 2026
- Android Developers Blog — The First Beta of Android 17
- Android Authority — AOSP Source Code Schedule
- Droid Life — Google Switches to Publishing Android Source Code Twice Per Year
Top comments (0)