Scope: What Certification Actually Covers
Two distinct programs travel under the "certification" label, and conflating them generates most of the confusion. Device certification binds manufacturers — hardware security, preinstallation rules, attestation. App-level requirements bind publishers — API targeting, quality thresholds, data disclosure. The 2026 cycle tightens both; only the second concerns anyone reading this as an app publisher.
Publisher Obligations, 2026 Cycle
API target enforcement continues its annual advance. Apps must target an Android API level within Google's rolling window or face reduced distribution and, eventually, delisting. For web-based apps this is a property of the shell, not the content: regenerating the app with maintained tooling satisfies it. The operative risk is neglect, not difficulty.
Quality thresholds gain teeth. Google's vitals program now penalizes listings for excessive startup latency, crash rates and unresponsive frames. A WebView application's startup profile is substantially its website's load profile; the remediation is conventional web performance work — image discipline, script deferral, competent hosting.
Data safety enforcement is now audit-backed. Declarations are checked against observed behavior, and mismatches draw enforcement. A converted site's data footprint is its analytics, advertising and form infrastructure. Declare what is actually embedded; review the form whenever the site's third-party scripts change.
Obligations You Do Not Have
The certification discourse includes substantial material irrelevant to publishers of web-based applications:
- Hardware attestation, secure boot, manufacturer preload policy — manufacturer scope, full stop.
- Sensitive permission programs (SMS, call log, accessibility, background location) — a web-based app requests none of these and is untouched by their tightening.
- SDK-specific mandates for embedded third-party native SDKs — WebView applications typically embed none beyond ads/push, which maintained generators keep current.
A Defensible Compliance Cadence
Twice yearly, roughly thirty minutes each:
- Regenerate and republish the app to refresh its API target.
- Run the site through performance tooling; remediate regressions above the fold.
- Diff the data safety declaration against the site's current script inventory.
- Verify the privacy policy URL resolves and remains accurate.
Publishers operating on this cadence experience certification cycles as administrative noise. The enforcement casualties each cycle are apps without an owner paying attention — a category that is entirely optional to join.
If your build predates the current API window: regeneration through the pipeline takes minutes and emits a current-target AAB ready for resubmission.