Google is tightening the gates to the Play Store. Starting later this year, Android developers will need to verify their real-world identities before they can distribute apps to users — a move that signals a fundamental shift in how the world’s largest mobile app marketplace polices trust, accountability, and fraud.
The company announced the Android Developer Verification program in a March 2026 post on the Android Developers Blog, laying out a phased rollout that will eventually require all developers — individuals and organizations alike — to submit government-issued identification or business registration documents before publishing or updating apps on Google Play. The initiative is Google’s most aggressive attempt yet to tie digital storefronts to verified real-world entities, and it carries significant implications for independent developers, enterprise publishers, and the broader fight against malicious software.
The rationale isn’t hard to understand. For years, Google has waged an escalating war against bad actors who exploit the relative anonymity of developer accounts to push malware, copycat apps, and predatory subscription schemes onto unsuspecting users. In 2024 alone, Google blocked more than 2.3 million policy-violating apps from reaching the Play Store and banned over 333,000 developer accounts for confirmed malware distribution, according to the company’s own transparency reports. But whack-a-mole enforcement has its limits. Bad actors simply create new accounts, often using fabricated identities, and start the cycle again.
Developer verification attacks that problem at the root.
Under the new program, individual developers will be required to submit a valid government-issued photo ID — a passport, national ID card, or driver’s license — which Google will verify through an automated identity-proofing system built in partnership with a third-party verification provider. Organizational accounts will need to supply business registration documents, tax identification numbers, and proof that the submitting individual is authorized to act on behalf of the entity. Google says the verification process will be encrypted end-to-end and that identity documents will not be stored after verification is complete, though metadata confirming verified status will be retained.
The phased rollout begins with new developer accounts in Q3 2026. By Q1 2027, all existing accounts will need to complete verification to continue publishing updates. Developers who fail to verify by the deadline won’t have their apps immediately removed, but they will lose the ability to push new versions — effectively freezing their apps in place until compliance is achieved.
That timeline gives Google roughly a year to onboard millions of developers worldwide. It’s ambitious. And it raises real questions about execution, especially in markets where government-issued identification is inconsistent, where business registration norms vary wildly, or where developers operate under pseudonyms for legitimate safety reasons.
The Tension Between Trust and Access
Google isn’t the first platform to move in this direction. Apple has long required a $99 annual fee and identity verification for its Developer Program, and it tightened organizational verification requirements in 2023. Microsoft requires identity checks for developers publishing to the Microsoft Store. But Google Play has historically maintained a lower barrier to entry — a one-time $25 registration fee and minimal identity requirements — which helped it attract a massive developer base, particularly in emerging markets across Southeast Asia, Africa, and Latin America.
That accessibility has been a double-edged sword. The low barrier fueled innovation and diversity in the app catalog, but it also made Play a more attractive target for fraudsters. According to a 2025 report from Kaspersky, Android devices accounted for approximately 70% of all mobile malware detections globally, with a significant share traced to apps that had at some point been available on the Play Store or sideloaded from sources mimicking Play’s interface.
The new verification requirement will almost certainly reduce the volume of fraudulent developer accounts. But it will also impose friction on legitimate developers, particularly solo creators in countries where identity documentation is less standardized. Google acknowledged this in its blog post, noting that it is “working with regional partners to support a wide range of identity documents and business registration formats” and that an appeals process will be available for developers who encounter verification difficulties.
Privacy advocates have already raised concerns. The Electronic Frontier Foundation has not yet issued a formal statement on Google’s specific program, but the organization has previously argued that mandatory identity verification requirements for online publishing can chill anonymous speech and disproportionately affect developers in authoritarian regimes who may face retaliation for creating certain types of apps — VPNs, encrypted messaging tools, or apps critical of government policy.
Google’s response, at least so far, is to emphasize the data-minimization approach. Documents verified, then deleted. No centralized database of developer passports. But the verification metadata itself — the fact that a specific real-world identity is linked to a specific developer account — creates a record that could theoretically be subject to legal compulsion in various jurisdictions.
That’s not a hypothetical concern. It’s a live one.
For enterprise developers and established studios, the verification process will likely be a minor administrative task — comparable to existing know-your-customer requirements in financial services or the verification steps already required for Google Ads accounts. Many large publishers already undergo more extensive vetting through Google’s existing Play App Signing and Google Play Console verification features.
The real impact falls on the long tail. The hobbyist developer in Nairobi. The student in Jakarta building their first app. The small nonprofit in Bogotá distributing a community health tool. These are the developers for whom even modest bureaucratic friction can be a meaningful barrier, and they represent a constituency that has historically given Android its edge in global reach and diversity of offerings.
Google appears aware of this tension. The blog post specifically mentions a “streamlined verification path” for individual developers in markets where traditional business documentation may not apply, though details remain sparse. The company also confirmed that developers who have already completed D-U-N-S number verification for organizational accounts will receive expedited processing.
Industry reaction has been mixed but largely supportive among security professionals. “This is overdue,” said one mobile security researcher who spoke on background, noting that the ability to spin up anonymous developer accounts has been a persistent vulnerability in the Android distribution model. App store optimization firms, meanwhile, have flagged the potential for the verification requirement to reduce the flood of low-quality and copycat apps that clutter search results — a side benefit that could improve discoverability for legitimate developers.
The timing of Google’s announcement also coincides with increasing regulatory pressure in both the European Union and the United States. The EU’s Digital Services Act, which took full effect in 2024, imposes transparency obligations on very large online platforms, including requirements to verify the identity of traders using their services. Google’s developer verification program aligns closely with those obligations and may in fact have been accelerated by them. In the U.S., proposed legislation around app store accountability has similarly pushed toward mandatory developer identification, though no federal bill has yet been enacted.
So this isn’t just a security initiative. It’s a regulatory compliance play, a trust signal to users, and a competitive positioning move all wrapped into one policy change.
And it will reshape the economics of Android app publishing in ways that aren’t fully predictable. Verification requirements create a fixed cost of entry that, while not monetary in the traditional sense, demands time, documentation, and access to identity infrastructure. That cost is trivial for a company like Spotify or a game studio like Supercell. It’s potentially significant for a first-time developer in a low-income country.
Google has pledged to share more implementation details in the coming months, including specifics on supported document types by country, the third-party verification partner’s identity, and the exact timeline for the appeals process. Developers can sign up for updates through the Android Developers Blog.
The broader trajectory is clear. The era of anonymous app publishing on major platforms is ending. Whether that makes the Android app market safer, more equitable, or simply more controlled will depend entirely on the details Google has yet to reveal — and on whether the company can execute a global identity verification program without leaving millions of legitimate developers behind.


WebProNews is an iEntry Publication