Google Marks APKs Distributed by Google Play
22.6.18 securityweek Android
Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.
Initially announced in December 17, the new change is designed to verify product authenticity from Google Play and is accompanied by an adjusted Google Play maximum APK size to take into account the small metadata addition.
The metadata is meant to work similarly as the official labels or badges that manufacturers place on physical products to mark their authenticity. The metadata will signify Play’s badge of authenticity for all Android apps distributed through the official marketplace.
“One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity,” James Bender, Product Manager, Google Play, says.
According to Bender, the new “badge” will help determine the app authenticity for apps obtained through Play-approved distribution channels when the device is offline. These shared apps will be added to a Play Library and app updates management will be possible when the device has connectivity.
“This will give people more confidence when using Play-approved peer-to-peer sharing apps,” he notes.
Developers are also expected to benefit from this change, not only because a Play-authorized offline distribution channel will be available for them, but also because, once the peer-to-peer shared apps are added to the Play library, they become eligible for updates from Play.
Google says no action is required from the developers or from the users of their applications. The small metadata addition is inserted into the APK Signing Block and is expected to improve the integrity of Google Play's mobile app ecosystem.
Beginning in August 18, developers will need to target API level 26 (Android 8.0) or higher with their new apps. Starting November this year, app updates will have to comply to this requirement as well. Existing applications that don’t receive updates won’t be affected by these changes.