Google Play security will extend to apps shared offline

By JC Torres/June 19, 2018 8:11 pm EST

Issues of control aside, there are technical and practical benefits to getting your Android apps from Google Play Store instead of third-party repositories or, worse, free-floating APKs. The biggest problem with that, however, is that installing apps, or even just browsing, requires an Internet connection, which might not be available at all times in all markets. Realizing that their ideal scenario doesn't exactly reflect reality, Google is now taking steps to make sure that apps downloaded from Google Play Store and shared offline can be verified as safe and treated like any normal Google Play Store app.

It may have its lapses, but Google Play's security system, now branded as Play Protect, is still better than no security at all. In a way, Google is using this feature to convince OEMs to get their devices Google-certified. Downloading apps from Google Play, however, naturally requires an Internet connection. And not all countries have such good connections, which makes downloading larger apps more than just inconvenient.

Android users in these countries have resorted to sharing APKs offline. We won't go through the process, but it's quite easy to get an APK off an Android phone and share it with others. Some will equate it with piracy, but for users in some markets, it's a matter of survival. Unfortunately, apps installed this way don't have the benefit of Google Play's security, even if the original was actually downloaded from the Play Store.

That will change soon as Google adds a small security metadata into APKs. The purpose of that metadata is to mark the APK as originally coming from Google Play Store or "Play-approved distribution channels". In other words, it's marked as "authentic". Whether the app itself is safe is a different question that depends on whether the original was safe in the first place.

This verification works even when the phone is offline and the app is added to the user's Play Store library. That means it will get regular updates through Google Play and will also be checked regularly with Play Protect. Developers and users won't need to do anything special on their end and everything will happen in the background automatically.