Google announced on its developer blog today that it would be adding what it calls a Signing Block to all Android apps that are provided by "Play-approved distribution channels." This new initiative is designed to confirm that the app is what it says it is, in regions of the world where the app installation files themselves (known as APKs or Android Package Kits) are traded between users instead of coming from the Google Play Store.
In some countries where Internet connections are spotty and expensive, peer-to-peer app sharing has become common, and such an app may spend extended periods of time offline. This can make it difficult for Google to spot the app on your device, provide updates, and add it to your Google Play app library.
With this new APK Signing Block, the company is adding a few additional lines of code to the installer, acting as a seal of approval. Google is also raising the app file size limit to accommodate these extra lines of code.
Can you still install APKs from other websites?
It's not clear yet what this means for non-approved websites that have built themselves around providing a catalog of APKs for people to download and install outside of the Google Play Store. The technical underpinnings of Google's new app security model do include the option to reject the installation of an app that lacks the Signing Block code string. We contacted Google about these concerns but did not immediately receive a response.
In addition to avoiding expensive data fees, third-party app distribution can also allow a user access to services that are not available in their country yet, or perhaps ever. For example, apps provided for beta testing may only appear in test markets before getting a wider release.
Direct APK downloads allow you to test-drive an app months or weeks before its intended release date. But while this can be convenient for users, it can reveal an app to the world before it's truly ready, and it can put unexpected pressure on the app maker's customer support infrastructure. Unapproved APKs can also be a way for malware to get onto your Android device.
On the iOS side, app testing is tightly controlled via Apple's TestFlight app, but no such formalized model exists on the Android side. Perhaps Signing Blocks can be used for this purpose. Either way, the implications for the future of non-approved APK providers remains unclear.
- Google has been under continual pressure to address fragmentation within Android, where versions of the operating system vary wildly from one market and one device maker to the next. In theory, APK Signing Blocks can be used to align the version of an app with the version of Android that Google wants to push.
- The mostly-offline app distribution and usage that Google wants to certify makes it difficult for the company to track how people are using Android in certain markets. Being able to connect a third-party APK to the Google Play Store gives them a better view of the app market so that they can identify areas of improvement.
- How to beef up your Chrome and Firefox security in 2018
- Which Android Browser is the most secure?
- A buyer's guide to virtual private networks (VPNs) in 2018
- How to download and install the Google Play store on any Android device (CNET)
- This scary Android malware can record audio, video and steal your data (ZDNet)
- Dangerous Android app lets would-be hackers create ransomware without writing any code (TechRepublic)