A small but significant change was made to the Play Store this week, and it affects all Android apps. Google is now adding a “small” string of security metadata to all Android APKs, which is designed to ensure the apps are authentic and have come from the Play Store or other approved source. In other words, it’s DRM (digital rights management), but Google’s intent is to improve the security of the Android platform by making it harder for fraudulent apps or those with malicious code to be installed.
The metadata is applied to all apps from developers using the latest APK Signature Scheme, and Android will eventually require that data to be present in any installed app. Google explains that this allows apps to be verified even if they didn’t come from the Play Store, as well as add them to users’ app library, meaning later updates can come from the official source.
The change means Android users can feel confident they’re getting real apps that have been signed off by Google. While most of us may be downloading apps from the Play Store already, that’s not always the case in developing areas with limited data connections, where users may turn to unofficial channels like peer-to-peer portals. This helps prevent malicious apps designed to harvest data while mimicking popular software from getting installed in the first place.
Of course, because this is still DRM, there’s still a reason for concern. The metadata gives more control to developers over how and when their apps are used. For example, changing the metadata string could force users to update to the latest version, such as one that now includes ads, instead of sticking with an earlier version. It’s still to early to know if that kind of abuse will take place, but on the surface the change could be a step forward for mobile security.
SOURCE Android Developers Blog