Google Announces 2029 Post‑Quantum Cryptography Migration Roadmap for Android and Cloud Services
What Happened – Google disclosed a multi‑year plan to replace vulnerable classical algorithms with NIST‑approved post‑quantum cryptography (PQC) across its authentication services, Android platform, and Google Play signing infrastructure, targeting full migration by 2029.
Why It Matters for TPRM –
- Quantum‑capable adversaries could retroactively break current TLS and code‑signing keys, exposing data and supply‑chain integrity.
- Vendors that rely on Google’s APIs, Android devices, or Play Store signing may inherit the same risk if they do not adopt the upcoming PQC standards.
- Early alignment with Google’s timeline helps third‑party risk programs demonstrate proactive mitigation of a high‑impact, industry‑wide cryptographic shift.
Who Is Affected – Cloud service providers, SaaS platforms, mobile‑app developers, and enterprises that integrate Google authentication, Android devices, or Google Play distribution.
Recommended Actions –
- Review contracts and security questionnaires for clauses on cryptographic algorithm updates.
- Map any data‑in‑transit or code‑signing dependencies on Google services and plan for PQC algorithm adoption.
- Engage with Google’s migration guidance, test ML‑DSA‑based signatures in staging environments, and schedule key‑rotation policies (minimum every two years).
Technical Notes – Google will transition Android Verified Boot and Remote Attestation to the Module‑Lattice‑Based Digital Signature Algorithm (ML‑DSA). Google Play will generate quantum‑safe signing keys for new and opt‑in apps, later allowing hybrid key upgrades. The effort follows NIST PQC standards and anticipates “store‑now‑decrypt‑later” attacks enabled by future large‑scale quantum computers. Source: https://www.helpnetsecurity.com/2026/03/26/google-pqc-migration-timeline-2029/