Android logo

Google is changing how the Play Store app is verifying the authenticity of Android apps before installation. The company plans to modify the header of APK (Android app) files to include a new metadata field that contains the app's file signature.

Apps previously didn't include this field because they didn't need it, as Google-approved apps could be installed only via the official Play Store app, which handled all these checks in the background, before the app's installation.

With the addition of an app file signature to the APK itself, Google is now allowing users to download official apps from the Play Store and distribute them via other channels, lest they not modify the apps in any way.

Official apps can now be installed while offline

"One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity," said James Bender, Product Manager of Google Play.

"In the future, [...] we'll be able to determine app authenticity while a device is offline," he added.

When the user will try to side-load an app that he obtained through one of these peer-to-peer app sharing networks, the Play Store app will verify the additional metadata field and will be able to determine if the app came from the official Google Play Store, allowing the installation and syncing it with the phone's official app inventory.

When the user comes back online, the app will be automatically be queued to receive updates from the Play Store, something that was not previously possible for apps side-loaded while the user was offline.

New system will broaden app distribution channels

Bender says this new app signature field will benefit developers because they have a broader channel for distributing apps, and won't be limited to the Play Store alone.

Some security researchers argue this change could allow malicious apps that have once been uploaded for a short time on the official Play Store to appear as authentic while distributed via offline distribution channels, as their file signature would appear as authentic after being removed from Play Store.

The good news is that this change is seamless for app developers and users alike, who don't need to do anything. Google will be doing all the updating.

"We're adjusting Google Play's maximum APK size to take into account the small metadata addition, which is inserted into the APK Signing Block," Bender said.

Related Articles:

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads

Google’s Android Apps Are No Longer Free for European Smartphone Makers

Google Accidentally Pushed Internal November 2018 Security Update to Pixel User

Trojanized App In Google Play Steals Bank Customers' Euros

Internal Chrome Page Shows All Google Interstitial Warnings