# Android Developer Verification > **Last updated: 2026-04-28** — Verify timeline at [official Google sources](https://developer.android.com/developer-verification) before relying on dates near the enforcement boundary. *** ### TL;DR * **What:** Google requires every Android app installed on certified devices to be associated with a verified developer — even if distributed via sideload, third-party stores, or direct APK. * **When:** Enforcement begins **September 30, 2026** in Brazil, Indonesia, Singapore, Thailand. Global rollout 2027+. * **Who:** Anyone shipping an Android app to certified devices, including teams that never use Play Store. * **Cost:** * **$25 USD** one-time for a Full Distribution account (unlimited apps + installs). * **FREE** for a Limited Distribution account (max 20 authorized devices, launched June 2026). * **Two consoles, two paths:** * **Android Developer Console** — dedicated for non-Play distribution. * **Google Play Console** — can be used as verification-only ($25), even if you never publish. * **What gets blocked:** After enforcement, unverified apps cannot be installed via normal install flows on certified devices in enforcing regions. ADB / developer mode still works. | Question | Answer | | ------------------------------------------------- | ----------------------------------------------------- | | Already publishing on Play Store? | Likely auto-registered in March 2026 — see Section 2. | | Distributing only outside Play Store? | Pick Path A or Path B. | | Hobbyist / student / internal-only (≤20 devices)? | Use Limited Distribution account. | *** ### 1. Background #### Why this exists Google's 2025 analysis found **over 50× more malware originating from sideloaded sources** compared to apps installed via Google Play. To raise the bar, Google introduced developer verification: "an ID check at the airport" that confirms a developer's identity, separate from any review of the app's content. Source: [Android Developers Blog: Elevating Android Security (Aug 2025)](https://android-developers.googleblog.com/2025/08/elevating-android-security.html). #### What "certified device" means Most consumer Android phones and tablets shipped with Google Mobile Services (Play Store, Play Services) are certified. Custom AOSP builds, dev boards, and managed enterprise devices may not be. Verification is enforced **only on certified devices in regions where the rollout has begun**. #### What gets blocked when Once enforcement starts in your region: * Users **cannot install** apps signed by an unverified developer. * Users **cannot update** previously installed unverified apps. * **Exception:** Power users with developer mode enabled can still install unverified apps via ADB after acknowledging risk. * **Enterprise exemption:** Apps deployed to managed/enterprise devices via MDM are exempt. #### Verified developer ≠ Play Store publishing | Aspect | Verified Developer | Play Store Publishing | | ------------------------ | ------------------------------------- | --------------------------------------------- | | **Purpose** | Identity verification | Distribution platform with content review | | **Required for** | Any app on certified devices | Optional if distributing outside Play | | **Reviews** | Identity (legal name, address, phone) | App functionality, content policy, age rating | | **Cost** | $25 (Full) / $0 (Limited) | $25 + 15–30% commission on sales/IAP | | **Distribution channel** | Any (you choose) | Google Play | | **Sideloading allowed?** | Yes, once verified | App must be on Play Store | Sources: [Android Developer Verification Overview](https://developer.android.com/developer-verification), [Register on Google Play Console](https://developer.android.com/developer-verification/guides/google-play-console). #### Enforcement timeline | Date | Milestone | | ---------------- | ------------------------------------------------------------------------------------------ | | **Aug 25, 2025** | Verification announced. | | **Nov 2025** | Early access registration opens (invite-only). | | **Mar 2026** | Verification opens to all developers. Existing Play apps auto-registered. | | **Jun 2026** | Limited Distribution accounts launch (early access). | | **Aug 2026** | Limited Distribution available globally. | | **Sep 30, 2026** | **Enforcement begins** in Brazil, Indonesia, Singapore, Thailand. Unverified apps blocked. | | **2027+** | Region-by-region global rollout continues. | Source: [Android Developer Verification Timeline](https://support.google.com/android-developer-console/answer/16650243?hl=en). *** ### 2. Existing Play Store apps — auto-registration If your app is already published on Google Play, you likely don't need to do anything new. In **March 2026**, Google auto-registered package names and signing keys for **\~98% of existing Play apps** under the developer accounts that own them. #### Check your status 1. Sign in at [play.google.com/console](https://play.google.com/console). 2. Navigate to **Settings → Account → Identity verification**. 3. Confirm the developer account shows **Verified**. 4. Navigate to **Settings → Verification** (or per-app **App content → Developer verification**) to confirm each package is listed as **Registered**. #### If your app falls in the 2% that need manual action Causes typically include: * Signing key was rotated/lost and never re-uploaded. * Package name was migrated between accounts without proper transfer. * App was never fully published (closed-testing only, no production track). Resolution: register the package manually via Play Console (see Path B §5.2 step 4) or via Android Developer Console (see Path A §4.3). #### You don't need a separate Android Developer Console account A Play Console-verified developer is already verified for the purposes of installing the same apps outside Play Store, **as long as the package name + signing key are registered**. *** ### 3. Account types — pick one | Account | Cost | Apps | Installs / devices | Best for | | ---------------------------------- | ---------------- | --------- | ---------------------------------------------- | ------------------------------------------------------------------------------ | | **Full Distribution** | $25 USD one-time | Unlimited | Unlimited | Organizations, professional developers, public APK distribution | | **Limited Distribution** | FREE | Unlimited | Max **20 authorized devices** total | Students, hobbyists, internal/testing-only apps | | **Verification-only Play Console** | $25 USD one-time | Unlimited | Unlimited (but no Play Store listing required) | Teams already familiar with Play Console; want auto-registration on APK upload | **Decision matrix:** | Question | Choice | | ------------------------------------------------------- | --------------------------------------- | | ≤ 20 known devices, no public distribution? | Limited Distribution | | Need ID verification but never want to publish on Play? | Path A (Android Developer Console) | | OK paying $25, want auto-registration on APK upload? | Path B (Verification-only Play Console) | | Already on Play Store? | Already covered — see Section 2 | Sources: [Android Developer Verification Overview](https://developer.android.com/developer-verification), [Limited Distribution Early Access](https://google.qualtrics.com/jfe/form/SV_4N7NGE06NjJJdl4). *** ### 4. Path A — Android Developer Console (non-Play distribution) Use this path to register a developer identity and packages **without** ever creating a Play Console account. #### 4.1 Prerequisites * A Google Account (personal or Workspace). 2FA strongly recommended. * Documents (see checklists below). * A signed APK built with the private key you intend to register. **Documents — individual** * **Government-issued photo ID** (one of): passport, driver's license, permanent resident card, national ID card. * **Proof of address** (one of, dated within \~3 months): utility bill, bank statement, insurance statement, government letter, property deed. * **Contact details:** private email, phone number. **Documents — organization** * **D-U-N-S number** — 9-digit Dun & Bradstreet identifier. **Free.** Get one at [dnb.com](https://dnb.com) or [duns.com](https://duns.com). Issuance can take 30+ days, so start early. * **Website verification** via [Google Search Console](https://search.google.com/search-console) (DNS, HTML file, or meta tag). * **Legal entity name and address** — must match official business registration. * **Official organization documents** (one or more): IRS EIN letter, certificate of incorporation, SEC filings, business credit reports, government letters confirming business status, utility bills in business name. #### 4.2 Step-by-step identity verification URL: [**android.google.com/developerconsole/developers**](https://android.google.com/developerconsole/developers) 1. **Sign in** with your Google Account. 2. **Choose account type** — Individual or Organization. 3. **Enter personal/legal details** — name, address, email, phone. (For organizations: legal entity name, D-U-N-S, website.) 4. **Upload documents** — government ID + proof of address (individual) or organization documents. Formats: PDF, JPG, PNG. All four corners of IDs must be visible. 5. **Verify email** via the confirmation link sent to your inbox. 6. **Verify phone** via the SMS / authenticator OTP. 7. **Wait for review** — typically **1–2 business days**. You'll receive an email when status updates to **Verified**. > **Public disclosure:** After verification, your developer **legal name, address, email, and (for orgs) website** become visible to users at install time. Do not use a personal home address for an organization account. Source: [Register on Android Developer Console](https://developer.android.com/developer-verification/guides/android-developer-console). #### 4.3 Step-by-step package registration Once your identity is verified, register each package name + signing key. Repeat per app. 1. **Open the Packages tab** in Android Developer Console. 2. **Click + Add package**. 3. **Enter the package name** — must match the `applicationId` in your `build.gradle`. Example: `com.example.myapp`. 4. **Add the SHA-256 fingerprint** of your signing certificate. Get it with: ```bash keytool -list -v \ -keystore /path/to/release.keystore \ -alias your-key-alias \ -storepass "$KEYSTORE_PASSWORD" \ | grep "SHA256:" ``` Or in Android Studio: **Build → Analyze APK → Manifest → certificate**. Status becomes **In review**. 5. **Prove ownership** by signing a challenge-bearing APK: 1. Click **Download challenge snippet** in the console. 2. Place the snippet at `app/src/main/assets/challenge` in your project. 3. Rebuild and re-sign the APK with the **same private key** whose SHA-256 you just submitted. 4. Upload the signed APK back to the console. 6. **Wait for confirmation email.** Status updates to **Registered** — typically within hours. Subsequent builds with the same signing key require no further proof. Source: [Register on Android Developer Console](https://developer.android.com/developer-verification/guides/android-developer-console). *** ### 5. Path B — Verification-only Play Console account Use this path to verify your identity and register packages through Google Play Console **without publishing apps to the Play Store**. Useful when you prefer Play Console's UI or want package registration to happen automatically on APK upload. #### 5.1 When to pick this path * You want auto-registration of package + SHA-256 on APK upload (no manual challenge file). * You're already comfortable with Play Console. * You're OK paying the $25 one-time fee even though no app will be published. #### 5.2 Step-by-step 1. **Create a Play Console account.** * Go to [play.google.com/console](https://play.google.com/console). * Sign in with a Google Account. * Pay the **$25 USD one-time developer fee**. 2. **Create an app entry** (but do not publish it). * Click **+ Create app**. * Fill in the required fields: app name, default language, app/game type, free/paid. * Click **Create app**. * **Do NOT** click **Submit for review** anywhere in subsequent flows. 3. **Complete identity verification.** * Navigate to **Settings → Account → Identity verification**. * Provide legal name, address, phone, email. * Upload government ID + proof of address (same documents as Path A §4.1). * For organizations: also provide D-U-N-S, website, business documents. * Status updates to **Verified** within **1–2 business days**. 4. **Register the package name + signing key.** * Navigate to **Your app → Release → Internal testing → Create release** (or any release track — Internal is least public). * Upload a signed AAB or APK built with your private key. * Play Console **automatically** extracts the package name and SHA-256 fingerprint and registers them under your verified account. 5. **STOP HERE.** Do not roll out the release. Do not submit for production review. Do not configure a store listing for public viewing. 6. **Confirm registration** in **Settings → Verification** — package should appear as **Registered**. Source: [Register on Google Play Console](https://developer.android.com/developer-verification/guides/google-play-console). #### 5.3 Why $25 is still required The $25 Play Console developer-account fee is independent of publishing. It's paid once at account creation; using the account for verification only does not waive it. #### 5.4 Internal testing track caveat Uploading to the **Internal testing** track: * Allows up to **100 named testers** (by Google Account email). * **Does NOT make the app public** on the Play Store. * Is sufficient to register the package under your verified account. * You don't need to actually invite testers or distribute the app — uploading is enough. *** ### 6. CI/CD integration Once verified, your CI pipeline does not need to interact with the verification consoles for every build — only the **first** registration is manual. Subsequent builds signed with the same key automatically qualify. #### Extract SHA-256 from a keystore ```bash keytool -list -v \ -keystore "$KEYSTORE_PATH" \ -alias "$KEY_ALIAS" \ -storepass "$KEYSTORE_PASSWORD" \ | grep "SHA256:" ``` #### Sign release builds non-interactively ```bash ./gradlew bundleRelease \ -Pandroid.injected.signing.store.file="$KEYSTORE_PATH" \ -Pandroid.injected.signing.store.password="$KEYSTORE_PASSWORD" \ -Pandroid.injected.signing.key.alias="$KEY_ALIAS" \ -Pandroid.injected.signing.key.password="$KEY_PASSWORD" ``` #### Generic guidance * Store the keystore as an **encrypted CI artifact** (GitHub Encrypted Secrets, GitLab CI/CD Variables, AWS Secrets Manager, etc.). Never commit it. * Inject signing credentials only at build time. * Document the SHA-256 fingerprint somewhere durable (project README, password manager) — you'll need it for any future package registration. * The **first** registration of a new package or new signing key always requires manual interaction with the console (Path A: challenge snippet; Path B: APK upload). *** ### 7. Operational details #### Lead times | Step | Typical duration | | ------------------------------------------- | ----------------- | | Identity verification review | 1–2 business days | | Package registration after challenge upload | Minutes to hours | | D-U-N-S issuance (organizations) | Up to 30 days | #### Common rejection causes **Identity verification:** * Document image is blurry, cropped, or too dark. * Name on government ID does not match the legal name entered. * Proof-of-address document is older than \~3 months. * Required fields left empty or mismatched between docs. **Package registration:** * APK is not signed with the private key whose SHA-256 was submitted. * Challenge snippet missing from `assets/` folder of the uploaded APK. * SHA-256 fingerprint mismatch between the submitted value and the APK signature. * Package name already claimed by another verified developer (see priority rules below). Resolution: re-upload corrected documents or APK. Re-review typically completes within 24 hours. #### Team roles (Android Developer Console) | Role | Capabilities | | ------------- | ------------------------------------------------ | | **Owner** | Full access. Can delete the account. | | **Admin** | Manage packages, team members, account settings. | | **Developer** | View and manage packages only. | | **Viewer** | Read-only access. | Invite members via **Settings → Team members**. Play Console offers more granular per-app permissions; see [Play Console: User and permissions](https://support.google.com/googleplay/android-developer/answer/9844686). #### Updating info after approval * Identity fields (name, address, email): editable in **Settings**, but changes trigger re-review (1–2 business days). * Phone and email: must be re-verified after change. * Package names and SHA-256 fingerprints: cannot be edited once registered. To change a signing key, register a new SHA-256 alongside the old one. #### Package transfers between accounts If both source and target accounts are verified and in good standing, you can transfer registered packages via **Settings → Package transfer**. #### Package-name conflict priority If two developers register the same package name, priority is decided by install volume: | Scenario | Rule | | ------------------------------------------------- | ------------------------------------------------------------------ | | One developer has ≥ 50% of installs | That developer gets priority. | | Multiple developers, one passed 50 installs first | Whoever reached 50 installs first wins. | | Neither has ≥ 50 installs | First-come, first-served (earliest signing-key registration wins). | Source: [Understanding Android Developer Verification](https://support.google.com/android-developer-console/answer/16561738?hl=en). *** ### 8. Distribution implications #### Direct download from your website * The APK must be signed with a **verified developer's** private key. * The package name must be **registered** under that account. * After enforcement starts in the user's region, the device checks the signing certificate against Google's verified-developer registry at install time. * Users can still bypass via ADB or developer mode if they explicitly accept the risk. #### Enterprise / MDM distribution * **Managed devices with Play Services:** verification **NOT required** (managed-device exemption). * **Standalone managed devices without Play Services:** verification **required**. * Consult your MDM vendor's documentation for how it handles unverified apps. #### ADB / developer-mode escape hatch Users who have enabled developer options and accept warnings can install unverified apps via: * `adb install` * File-manager sideload with developer mode acknowledgments This is intentional — Google preserves an escape hatch for power users — but normal users will not be able to use these flows. #### Limited Distribution 20-device cap * The 20-device limit is **across all apps combined under that account** — not per-app. * Each device must be **explicitly enrolled** by the developer (typically via device ID). * Registering a 21st device requires upgrading to Full Distribution ($25). * Useful for personal projects, classroom demos, internal prototypes. *** ### 9. References All claims in this document trace to official Google sources: * [Android Developer Verification Overview](https://developer.android.com/developer-verification) * [Understanding Android Developer Verification](https://support.google.com/android-developer-console/answer/16561738?hl=en) * [Android Developer Verification Timeline](https://support.google.com/android-developer-console/answer/16650243?hl=en) * [Register on Android Developer Console](https://developer.android.com/developer-verification/guides/android-developer-console) * [Register on Google Play Console (Verification)](https://developer.android.com/developer-verification/guides/google-play-console) * [Android Developers Blog: Elevating Android Security (August 2025)](https://android-developers.googleblog.com/2025/08/elevating-android-security.html) * [Android Developers Blog: Rolling Out to All Developers (March 2026)](https://android-developers.googleblog.com/2026/03/android-developer-verification-rolling-out-to-all-developers.html) * [Android Developers Blog: Early Access (November 2025)](https://android-developers.googleblog.com/2025/11/android-developer-verification-early.html) * [Google Play Console](https://play.google.com/console) * [Android Developer Console](https://android.google.com/developerconsole/developers) * [Dun & Bradstreet (D-U-N-S signup)](https://dnb.com) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.getupdraft.com/android/android-developer-verification.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.