Google is changing how the Play Store app is verifying the authenticity of Android apps before installation. The company plans to modify the header of APK (Android app) files to include a new metadata field that contains the app's file signature.
Apps previously didn't include this field because they didn't need it, as Google-approved apps could be installed only via the official Play Store app, which handled all these checks in the background, before the app's installation.
With the addition of an app file signature to the APK itself, Google is now allowing users to download official apps from the Play Store and distribute them via other channels, lest they not modify the apps in any way.
"One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity," said James Bender, Product Manager of Google Play.
"In the future, [...] we'll be able to determine app authenticity while a device is offline," he added.
When the user will try to side-load an app that he obtained through one of these peer-to-peer app sharing networks, the Play Store app will verify the additional metadata field and will be able to determine if the app came from the official Google Play Store, allowing the installation and syncing it with the phone's official app inventory.
When the user comes back online, the app will be automatically be queued to receive updates from the Play Store, something that was not previously possible for apps side-loaded while the user was offline.
Bender says this new app signature field will benefit developers because they have a broader channel for distributing apps, and won't be limited to the Play Store alone.
Some security researchers argue this change could allow malicious apps that have once been uploaded for a short time on the official Play Store to appear as authentic while distributed via offline distribution channels, as their file signature would appear as authentic after being removed from Play Store.
Great, so malicious apps that have managed to sneak into the Store but were later removed from here would be able to be distributed by other channels.— Vess (@VessOnSecurity) June 20, 2018
The good news is that this change is seamless for app developers and users alike, who don't need to do anything. Google will be doing all the updating.