Google’s 24-hour delay for Android sideloading is really smart

User choice is a problem. It’s one that platforms have been tackling in different ways for decades now, and it all comes down to a balance. Users want the freedom to install whatever software they want. But the companies behind those platforms understand that they also need to keep their users protected against the threat of malware. So how do you keep that “do whatever you want” door open, while also employing a bouncer to keep the peace?

This is as much a technical problem as it is one centered on human behavior, and that messy human part of it means that there are always going to be edge cases where one-size-fits-all approaches don’t work. But with that acknowledged, Google’s new “advanced flow” for sideloading apps strikes what I think is an incredibly satisfying compromise — and this 24-hour delay is probably the smartest part of it.

Where Android malware comes from

There’s no shortage of places you could pick up an Android APK that’s infected with some hidden malicious code, just waiting to ruin your day (and week, and bank balance). Sometimes malware sneaks into the official Play Store — but Google’s constantly vigilant about detecting and removing all that it can. Or maybe you find a download link on the web or in an online forum — you might think you’re getting an early release from the actual developer, but it’s an impostor trying to trick you into installing malware.

Google already has good system in place to address these threats, and they’re getting even stronger with this new push for more universal develop registration. Between Play Protect scans and sticking with developers you trust, most users can feel reasonably confident that their apps are safe.

But there’s also a much more insidious type of malware threat, and one that leans harder than ever on the human element here: scams. Bad actors target vulnerable communities everywhere, often starting with phone calls or messages warning about imminent dangers — a classic here is someone telling you over the phone that you’ve got a relative in jail and they need you to send money for bail/a fine/to pay a lawyer immediately.

Sometimes, scammers like those just try to get you to send them cash. But increasingly, they’re adding a malware component to their scams, trying to convince you that the only way to make the necessary payment is with some special software. These kind of high-pressure tactics, and coming from a live person you’re talking to, can be incredibly more persuasive than some random forum comment suggesting you install an unverified APK. When the safety of your loved ones is on the line, it’s very possible that you might dismiss all the warning messages Android throws at you and still try to install the sketchy APK.

How Android’s “advanced flow” for sideloading keeps users safe

Google has clearly spent a lot of time looking at its options here. Warning messages are a good start, but they can only get you so far, and all too easily collapse when scammers are able to get an emotional hook into their target. What Google ultimately had to accept is that any sideloading protection workflow that included a switch or toggle that users could turn off, would be turned off through the influence of smooth-talking scammers.

After the announcement about developer verification last summer, a lot of us were concerned that Google’s solution there would be the nuclear option: Just don’t offer that kind of toggle at all. But instead, we’re now getting this 24-hour compromise. There’s no toggle at first, but wait things out long enough, and the option arrives.

That is just so clever for several reasons. By taking the decision to immediately install an unverified app out of users’ hands, Google puts scammers in a very difficult position. Successful scams now have to operate over a longer time period, raising expense and difficulty on the scammer’s end. And by forcing users to wait, Google gives them the time to verify all the lies scammers had been feeding them.

Meanwhile, there’s also a path forward towards seamless unverified installs for power users who have been around the block enough times to feel confident about the APKs they’re installing and where those are coming from. If you’ve been seeing yesterday’s announcement and thinking “there’s no way I’m waiting a full day every time I want to install a Switch emulator,” good news — you won’t have to!

Once you go through that initial 24-hour wait, you can choose to unlock the ability to install unverified apps for the next seven days, or to keep it unlocked forever. What I suspect is that the sort of users who know that they’re going to be installing a lot of APKs — the ones who do so on basically every phone they ever own — are just going to go through this process on day one of setting up a new device, and then never think about it again.

“But, but, but,” you protest, “what if I have an EMERGENCY where I really do need to install an unverified app RIGHT now and hadn’t set all that up in advance?” Google’s got you. Even with these on-device protections now nicely locked-down against even charismatic scammers, there’s an external option: ADB.

Plug your Android phone into your PC, fire up the Android Debug Bridge in your terminal, and you can manually input command-line instructions to instantly install even unverified apps. If you’ve ever played around with ADB before, you can probably appreciate that this is not the sort of process a scammer’s successfully going to be able to talk your grandmother through, and just the steep technical barrier that ADB represents will probably suffice to keep this loophole safe.

At the end of all this, Android is still Android. The platform is still open, and users have the freedom to install any app they wish, from any source. But freedom is also dangerous, and rather than throwing users right into the deep end of distinguishing between malware and legitimate apps themselves, Android is defaulting to making everyone enter through the kiddie pool. If you want to swim out deeper, that’s on you. And really, I think that’s the way things should be.