In a recent blog post Google announced that the early access phase of its Android Developer Verification program has commenced, as previously announced. In addition to this new announcement Google also claims to be taking note of the feedback it has been receiving, in particular pertaining to non-commercial developers for whom these new measures are incredibly inconvenient. Yet most notable is the ’empowering experienced users’ section, where Google admits that to developers and ‘power users’ the intensive handholding isn’t required and it’ll develop an ‘advanced flow’ where unverified apps can still be installed without jumping through (adb) hoops.What this new option will look like, and how it’ll differ from the current warning pop-up when installing an APK not via the Play Store remains to be seen. Either way, it highlights the impossible balance that Google is trying to strike between a simultaneously open ecosystem and a high-security one. A problem with a central software repository is that while it does provide a lot of convenience for end users, ensuring that all software in it is vetted and safe is a tough one.In the case of something like the Debian or FreeBSD software repositories, these are quite locked down and with no random developer getting their software in without some serious work, whereas the very open NPM and Python repositories are practically overrun with malware. Here Google has to choose and pick its battles, with the scenario of scammers making a victim download a fake ‘verification app’ clearly being front and center on their mind. The problem here being of course that this is trying to fix a social engineering issue with technology, which only gets you so far and risks immense damage in the process.For developer types, Google still only distinguishes between commercial developers and students/hobbyists, with the latter developing for a ‘small group’, making one wonder how OSS software with potentially very large userbases will be treated. Will they have to go through the whole ‘submit government ID scan’ and publishing of personal contact information on the app details page, same as for a commercial app?Either way, it seems like good progress at least that the option of distributing APKs via alternate app stores as well as places like GitHub will be preserved. Telling users to just mash the ‘Ok’ button a few times on scary dialogs is significantly more straightforward than instructing them on how to push your app onto their Android device via adb would be. In fact, most users probably won’t need any special encouragement to do so.