Android Developer Verification

Last updated: 2026-04-28 — Verify timeline at official Google sources before relying on dates near the enforcement boundary.

TL;DR

• What: Google requires every Android app installed on certified devices to be associated with a verified developer — even if distributed via sideload, third-party stores, or direct APK.

• When: Enforcement begins September 30, 2026 in Brazil, Indonesia, Singapore, Thailand. Global rollout 2027+.

• Who: Anyone shipping an Android app to certified devices, including teams that never use Play Store.

• Cost:

  • $25 USD one-time for a Full Distribution account (unlimited apps + installs).

  • FREE for a Limited Distribution account (max 20 authorized devices, launched June 2026).

• Two consoles, two paths:

  • Android Developer Console — dedicated for non-Play distribution.

  • Google Play Console — can be used as verification-only ($25), even if you never publish.

• What gets blocked: After enforcement, unverified apps cannot be installed via normal install flows on certified devices in enforcing regions. ADB / developer mode still works.

1. Background

Why this exists

Google's 2025 analysis found over 50× more malware originating from sideloaded sources compared to apps installed via Google Play. To raise the bar, Google introduced developer verification: "an ID check at the airport" that confirms a developer's identity, separate from any review of the app's content.

Source: Android Developers Blog: Elevating Android Security (Aug 2025).

What "certified device" means

Most consumer Android phones and tablets shipped with Google Mobile Services (Play Store, Play Services) are certified. Custom AOSP builds, dev boards, and managed enterprise devices may not be. Verification is enforced only on certified devices in regions where the rollout has begun.

What gets blocked when

Once enforcement starts in your region:

• Users cannot install apps signed by an unverified developer.

• Users cannot update previously installed unverified apps.

• Exception: Power users with developer mode enabled can still install unverified apps via ADB after acknowledging risk.

• Enterprise exemption: Apps deployed to managed/enterprise devices via MDM are exempt.

Verified developer ≠ Play Store publishing

Sources: Android Developer Verification Overview, Register on Google Play Console.

Enforcement timeline

Source: Android Developer Verification Timeline.

2. Existing Play Store apps — auto-registration

If your app is already published on Google Play, you likely don't need to do anything new. In March 2026, Google auto-registered package names and signing keys for ~98% of existing Play apps under the developer accounts that own them.

Check your status

1. Sign in at play.google.com/console.

2. Navigate to Settings → Account → Identity verification.

3. Confirm the developer account shows Verified.

4. Navigate to Settings → Verification (or per-app App content → Developer verification) to confirm each package is listed as Registered.

If your app falls in the 2% that need manual action

Causes typically include:

• Signing key was rotated/lost and never re-uploaded.

• Package name was migrated between accounts without proper transfer.

• App was never fully published (closed-testing only, no production track).

Resolution: register the package manually via Play Console (see Path B §5.2 step 4) or via Android Developer Console (see Path A §4.3).

You don't need a separate Android Developer Console account

A Play Console-verified developer is already verified for the purposes of installing the same apps outside Play Store, as long as the package name + signing key are registered.

3. Account types — pick one

Decision matrix:

Sources: Android Developer Verification Overview, Limited Distribution Early Access.

4. Path A — Android Developer Console (non-Play distribution)

Use this path to register a developer identity and packages without ever creating a Play Console account.

4.1 Prerequisites

• A Google Account (personal or Workspace). 2FA strongly recommended.

• Documents (see checklists below).

• A signed APK built with the private key you intend to register.

Documents — individual

• Government-issued photo ID (one of): passport, driver's license, permanent resident card, national ID card.

• Proof of address (one of, dated within ~3 months): utility bill, bank statement, insurance statement, government letter, property deed.

• Contact details: private email, phone number.

Documents — organization

• D-U-N-S number — 9-digit Dun & Bradstreet identifier. Free. Get one at dnb.com or duns.com. Issuance can take 30+ days, so start early.

• Website verification via Google Search Console (DNS, HTML file, or meta tag).

• Legal entity name and address — must match official business registration.

• Official organization documents (one or more): IRS EIN letter, certificate of incorporation, SEC filings, business credit reports, government letters confirming business status, utility bills in business name.

4.2 Step-by-step identity verification

URL: android.google.com/developerconsole/developers

1. Sign in with your Google Account.

2. Choose account type — Individual or Organization.

3. Enter personal/legal details — name, address, email, phone. (For organizations: legal entity name, D-U-N-S, website.)

4. Upload documents — government ID + proof of address (individual) or organization documents. Formats: PDF, JPG, PNG. All four corners of IDs must be visible.

5. Verify email via the confirmation link sent to your inbox.

6. Verify phone via the SMS / authenticator OTP.

7. Wait for review — typically 1–2 business days. You'll receive an email when status updates to Verified.

Public disclosure: After verification, your developer legal name, address, email, and (for orgs) website become visible to users at install time. Do not use a personal home address for an organization account.

Source: Register on Android Developer Console.

4.3 Step-by-step package registration

Once your identity is verified, register each package name + signing key. Repeat per app.

1. Open the Packages tab in Android Developer Console.

2. Click + Add package.

3. Enter the package name — must match the applicationId in your build.gradle. Example: com.example.myapp.

4. Add the SHA-256 fingerprint of your signing certificate. Get it with:

   Or in Android Studio: Build → Analyze APK → Manifest → certificate. Status becomes In review.

5. Prove ownership by signing a challenge-bearing APK:

   1. Click Download challenge snippet in the console.

   2. Place the snippet at app/src/main/assets/challenge in your project.

   3. Rebuild and re-sign the APK with the same private key whose SHA-256 you just submitted.

   4. Upload the signed APK back to the console.

6. Wait for confirmation email. Status updates to Registered — typically within hours. Subsequent builds with the same signing key require no further proof.

Source: Register on Android Developer Console.

5. Path B — Verification-only Play Console account

Use this path to verify your identity and register packages through Google Play Console without publishing apps to the Play Store. Useful when you prefer Play Console's UI or want package registration to happen automatically on APK upload.

5.1 When to pick this path

• You want auto-registration of package + SHA-256 on APK upload (no manual challenge file).

• You're already comfortable with Play Console.

• You're OK paying the $25 one-time fee even though no app will be published.

5.2 Step-by-step

1. Create a Play Console account.

   • Go to play.google.com/console.

   • Sign in with a Google Account.

   • Pay the $25 USD one-time developer fee.

2. Create an app entry (but do not publish it).

   • Click + Create app.

   • Fill in the required fields: app name, default language, app/game type, free/paid.

   • Click Create app.

   • Do NOT click Submit for review anywhere in subsequent flows.

3. Complete identity verification.

   • Navigate to Settings → Account → Identity verification.

   • Provide legal name, address, phone, email.

   • Upload government ID + proof of address (same documents as Path A §4.1).

   • For organizations: also provide D-U-N-S, website, business documents.

   • Status updates to Verified within 1–2 business days.

4. Register the package name + signing key.

   • Navigate to Your app → Release → Internal testing → Create release (or any release track — Internal is least public).

   • Upload a signed AAB or APK built with your private key.

   • Play Console automatically extracts the package name and SHA-256 fingerprint and registers them under your verified account.

5. STOP HERE. Do not roll out the release. Do not submit for production review. Do not configure a store listing for public viewing.

6. Confirm registration in Settings → Verification — package should appear as Registered.

Source: Register on Google Play Console.

5.3 Why $25 is still required

The $25 Play Console developer-account fee is independent of publishing. It's paid once at account creation; using the account for verification only does not waive it.

5.4 Internal testing track caveat

Uploading to the Internal testing track:

• Allows up to 100 named testers (by Google Account email).

• Does NOT make the app public on the Play Store.

• Is sufficient to register the package under your verified account.

• You don't need to actually invite testers or distribute the app — uploading is enough.

6. CI/CD integration

Once verified, your CI pipeline does not need to interact with the verification consoles for every build — only the first registration is manual. Subsequent builds signed with the same key automatically qualify.

Extract SHA-256 from a keystore

Sign release builds non-interactively

Generic guidance

• Store the keystore as an encrypted CI artifact (GitHub Encrypted Secrets, GitLab CI/CD Variables, AWS Secrets Manager, etc.). Never commit it.

• Inject signing credentials only at build time.

• Document the SHA-256 fingerprint somewhere durable (project README, password manager) — you'll need it for any future package registration.

• The first registration of a new package or new signing key always requires manual interaction with the console (Path A: challenge snippet; Path B: APK upload).

7. Operational details

Lead times

Common rejection causes

Identity verification:

• Document image is blurry, cropped, or too dark.

• Name on government ID does not match the legal name entered.

• Proof-of-address document is older than ~3 months.

• Required fields left empty or mismatched between docs.

Package registration:

• APK is not signed with the private key whose SHA-256 was submitted.

• Challenge snippet missing from assets/ folder of the uploaded APK.

• SHA-256 fingerprint mismatch between the submitted value and the APK signature.

• Package name already claimed by another verified developer (see priority rules below).

Resolution: re-upload corrected documents or APK. Re-review typically completes within 24 hours.

Team roles (Android Developer Console)

Invite members via Settings → Team members. Play Console offers more granular per-app permissions; see Play Console: User and permissions.

Updating info after approval

• Identity fields (name, address, email): editable in Settings, but changes trigger re-review (1–2 business days).

• Phone and email: must be re-verified after change.

• Package names and SHA-256 fingerprints: cannot be edited once registered. To change a signing key, register a new SHA-256 alongside the old one.

Package transfers between accounts

If both source and target accounts are verified and in good standing, you can transfer registered packages via Settings → Package transfer.

Package-name conflict priority

If two developers register the same package name, priority is decided by install volume:

Source: Understanding Android Developer Verification.

8. Distribution implications

Direct download from your website

• The APK must be signed with a verified developer's private key.

• The package name must be registered under that account.

• After enforcement starts in the user's region, the device checks the signing certificate against Google's verified-developer registry at install time.

• Users can still bypass via ADB or developer mode if they explicitly accept the risk.

Enterprise / MDM distribution

• Managed devices with Play Services: verification NOT required (managed-device exemption).

• Standalone managed devices without Play Services: verification required.

• Consult your MDM vendor's documentation for how it handles unverified apps.

ADB / developer-mode escape hatch

Users who have enabled developer options and accept warnings can install unverified apps via:

• adb install

• File-manager sideload with developer mode acknowledgments

This is intentional — Google preserves an escape hatch for power users — but normal users will not be able to use these flows.

Limited Distribution 20-device cap

• The 20-device limit is across all apps combined under that account — not per-app.

• Each device must be explicitly enrolled by the developer (typically via device ID).

• Registering a 21st device requires upgrading to Full Distribution ($25).

• Useful for personal projects, classroom demos, internal prototypes.

9. References

All claims in this document trace to official Google sources:

• Android Developer Verification Overview

• Understanding Android Developer Verification

• Android Developer Verification Timeline

• Register on Android Developer Console

• Register on Google Play Console (Verification)

• Android Developers Blog: Elevating Android Security (August 2025)

• Android Developers Blog: Rolling Out to All Developers (March 2026)

• Android Developers Blog: Early Access (November 2025)

• Google Play Console

• Android Developer Console

• Dun & Bradstreet (D-U-N-S signup)