Android Apps Now have Secure ID; Avoid Malicious Installs

John Lister's picture

Google is to mark Android apps to show they originated in the Google Play store. It's described as a security measure that could be particularly helpful in places with unreliable data connections.

The change is to APK files, which stands for "Android PacKage"; these are files used to install an Android application on an Android device. Whenever you download an app from the Google Play store, it's always an APK file which is installed. However, the format is also the same if the app were to be downloaded from a third party website.

Google is adding security metadata to all APKs distributed on the Google Play store. This small piece of code confirms where the APK originated from, similar to how secure servers use certificates to validate they sites are in fact secure. The idea is that if the file winds up getting to a user via another route (other than the Play store), the device will be able to confirm the app is indeed legitimate.

Apps Can't Be Altered Without Detection

The way the security metadata is built in to the APK file means it won't be possible to take a file from Google Play, alter it (to add malicious elements, for example) and distribute it without devices being able to spot the tampering.

While it might seem an odd move for people who habitually get their Android apps directly from the official Play Store, it does have some uses. In countries with limited or unreliable data plans, many users - with Google's support - share Android apps through peer-to-peer file sharing software. This can mean getting a file in multiple tiny pieces from multiple sources and reassembling it when complete.

Google says the change will mean people getting apps in this way will be able to confirm that the file they wind up with is indeed the same one that was added to the Play Store. (Source: googleblog.com)

Automatic Updates Enabled

Another benefit is that apps that carry the metadata will be eligible to get automatic updates from the Google Play Store.

Not everyone has welcomed the move without reservations, however. Some have raised concerns that the metadata could be used to force users to update to an unwanted new edition of an app, or even that Google or phone manufacturers might one day use the metadata as a way to block devices from running any app that didn't originally come from Google Play. (Source: slashgear.com)

What's Your Opinion?

Do you have an Android device? If so, have you ever obtained an app from a source other than the Google Play store? Is this new move a good balance between security and choice?

Rate this article: 
Average: 4.6 (8 votes)

Comments

Dennis Faas's picture

As far as I know there is an option in Settings -> Lock Screen and Security -> Unknown sources which allows you to install apps from third parties (that are not from Google Play). With the new APK security metadata, there should also an option from Google to not automatically upgrade apps from unknown sources during the program install. This could be done by keeping track of where the APK originated from (I.E.: not from Google Play's website). This would keep some users happy, though I agree with Google's approach that validated apps are eligible for the automatic upgrades because they almost always fix security issues.