Google has presented a new Android procedure for advanced users who want to continue installing apps outside official stores: it is called Advanced Flow and aims to offer a safer way for the sideloading of APKS signed by unchecked developers. The company describes it as a mechanism that introduces deliberate friction in the installation process to reduce the risk that trusted people will fall into scams or end up installing malicious software by pressure.
The arrival of this flow is scheduled for August 2026 and is part of the package of changes around the new identity verification requirement for developers, a measure that will force those who publish applications - regardless of the distribution channel - to demonstrate their identity to Google so that their APKS can be installed on certified devices. Google has published an explanatory entry on the subject in its developer blog; there is detailed both the logic and the steps of the new system ( Google official entry), and developers have at their disposal a page with instructions to complete the verification ( Android verification page).
The reason stated behind Advanced Flow is to avoid a very specific type of fraud: scams in which attackers accompany the victim in real time, urge and guide her to deactivate system protections or to ignore security warnings. To combat this vector, the procedure requires those who want to enable the installation from unverified developers to go through a series of steps that are not immediate. The user must activate the developer mode, confirm by warning that it is not being coached by a third party, restart the phone and authenticate again, and wait at least one day before confirming that the modification is intentional. Only then can you install unverified developer applications, and the system will show a persistent warning indicating that condition; the rating can be limited to one week or maintained indefinitely according to the user's choice.
This design pursues what security experts call "protective friction": to introduce small, reasoned obstacles to sensitive operations to break the pace imposed by the attackers who try to create urgency. According to Google, this delay and the need for reauthentication make it difficult for a con man to maintain control of the process and force the victim to accept unsafe hot facilities.
There are also worrying data behind the decision. Digital scams and fraud generate huge losses: a report cited by Google estimates global losses in the order of hundreds of billions of dollars last year ( report on the overall state of scams). This context explains why platforms and manufacturers now seek to balance Android's opening with concrete measures that reduce damage to real users.
For many technical users and development equipment, the possibility of installing APKS directly is an important advantage: it allows internal testing, out-of-store distribution, and use of tools or applications that are not on Google Play. The novelty of Advanced Flow does not eliminate this freedom, but it is regulated by human verification and additional steps. In practical terms, Google points out that the verification of developers will be the standard and that Advanced Flow will serve as a controlled exception for those who need to temporarily skip the requirement without compromising device security.
It is important to stress that this initiative comes after a period of public debate. Google had previously announced its intention to demand identity verification from app editors, but the original calendar was adjusted after criticism from the community of developers and privacy advocates. The company now emphasizes that the system is moving forward and that the window for developers to complete the verification is open; on their official website are the steps and technical requirements for those to register ( information for developers).
From a security point of view, Advanced Flow has clear advantages: it reduces the risk of social attacks making the victim an involuntary accomplice to its own commitment. However, it also raises questions about experience for advanced users and how a legitimate exception from dangerous practices will be distinguished. The visual warning that Android will display when an application comes from an unverified developer will be a useful tool, but it will depend on users understanding its meaning and acting accordingly.
Another aspect to consider is the impact on alternative app distribution and competition in the ecosystem. Requiring identity verification can complicate the life of small projects or independent developers that, for legitimate reasons, distribute outside Play; therefore Google insists that Advanced Flow will be available to those who need "extra" access and that the goal is not to close options but to reduce fraud. The balance between openness and protection will remain a friction point in discussions between manufacturers, regulators and the technical community.
If you are a developer, it is wise to inform you as soon as possible and complete the verification to avoid blockages from August. If you are a user who usually install APKS out of need, note that the new flow will ask you for several steps and a deliberate waiting period: that is not a failure, but a mechanism designed to give you time to think and, if appropriate, ask for help before running an irreversible action on your device.
In short, Advanced Flow is Google's commitment to maintaining the ability of sideloading on Android without giving up controls designed to thwart the most sophisticated scams that take advantage of the rush and emotional manipulation. It will be necessary to see in practice how these measures are taken, if they actually reduce fraud and how both the developer community and advanced users react when the flow starts to be activated on billions of devices.
To deepen, you can read Google's technical explanation about verification and the new flow on its developer blog ( official entry) and review the instructions to complete the verification in the Android documentation ( page for developers). It is also useful to consult independent analyses and reports on the economic impact of digital scams, such as the study cited by Google ( report Global State of Scams 2025).
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...