Will Android developer verification break offline sideloading?

Android’s approach to software openness is changing in some fundamental ways right now, and the shift has not been happening without a fair amount of controversy. While Google has always let you install Android apps from outside its managed app ecosystem, sideloading their APK files, the company will now start mandating that developers register their identity, and block the installation of apps from unverified sources.

For fans of open platforms, that’s resulted in some spicy takes (my own included), but in the weeks since the news first broke we’ve learned a little more about Google’s plans for implementing this program — and hearing about some critical workarounds, like maintaining the ability to sideload unverified apps over a connection to another device running ADB (the Android Debug Bridge).

While we’re breathing a little easier now that we know about that option, there are still plenty of headaches that this move could cause, and today we’re thinking about one that’s been brought up by Android fans on Reddit like user WesternImpression394. There, they’ve spotted some of the groundwork Google’s been laying in the Android SDK (not the AOSP, as claimed in that thread) to support developer verification.

One of the variables defined there is labeled in a way that immediately gets our attention: DEVELOPER_VERIFICATION_FAILED_REASON_NETWORK_UNAVAILABLE.

When you stop and think about it for a moment, that makes all the sense in the world — Google isn’t just interested in attaching someone’s name to all those anonymous APKs floating around out there, but presumably doing so in a way that allows the company to take action based on the name, like blacklisting devs who spread malware. And indeed, there’s a similar DEVELOPER_VERIFICATION_FAILED_REASON_DEVELOPER_BLOCKED variable. While it’s easy enough to verify something like a cryptographic signature locally, Android might want to prevent you from installing an app if it can’t get online and check if the name is on just such a no-no list.

Admittedly, this probably won’t cause a problem for most users ever, and we are looking at some kind of extreme corner case situation where you’ve already downloaded an APK, but no longer have network connectivity, nor access to a device running ADB (or an app already installed to run ADB commands locally). There could even be a cached copy of the ban list that would let you install offline up to a point. That said, Android has literally billions of users, and even rare situations will probably happen for someone eventually.

We’ve still got a year to go  before developer verification starts actually impacting any Android end-users, although devs will start signing up in the months to come. That leaves plenty of time for us to learn more about the all-too-important details behind how the system will ultimately work — and hopefully, plan ahead for how to work around it for users who genuinely need to.