Offline Android apps get new security check

How do Android users know whether an app is genuine?

Currently, the best advice is to study the app’s source, but given they can be loaded from three – the Play Store, from a third-party source, or from an offline source – it’s not always as easy to tell as it should be.

Third-party consumer repositories have a poor reputation, so much so that Android disallows downloading from them by default.

Instead, Google recommends people stick to its Play Store, but even here plenty of malicious apps seem able to wriggle through the supposedly ever-higher security wall thrown up by Google’s Play Protect security.

That leaves offline sources, where large numbers of Android users get their apps in countries with poor or expensive online connectivity.

The APK (Android Package Kit), akin to .exe files on a Windows computer, is the Android file format used to distribute apps.

The problem is that, because users load them from a peer while offline, Android has no way of knowing whether they originated from the Play Store or not, or have been tampered with.

With this problem in mind, Google this week confirmed plans trailed last year to add a “a small amount of security metadata” to each app APK as a way of confirming it originated in the Play Store.

According to Google Play’s product manager, James Bender, this means:

In the future, for apps obtained through Play-approved distribution channels, we’ll be able to determine app authenticity while a device is offline, add those shared apps to a user’s Play Library, and manage app updates when the device comes back online.

This will be added to something called the APK signing block – the part of the file used to cryptographically verify an app’s developer and allow them to update without having to ask for complicated permissions.

While this adds no security for the majority of Android users who get their apps from the Play Store, it raises the intriguing possibility that more might one day be distributed offline (with magazines, for instance) on the back of this security tweak.

Of course, this doesn’t address the problem we mentioned at the start of this article – malicious apps that have somehow sneaked into the Play Store itself.

Even Google’s most recent estimate is that it removed 700,000 from this location in 2017 alone, ironically a statistic intended to reassure people (in other words, they were spotted).

Despite all the security Google has added recently, separating friend from foe in the Play Store remains a manual process of checking the developer name, the number and quality of reviews, and the download count. That won’t end soon.

If you encounter an app that looks off on these criteria, consider reporting it to Google. Despite all its much-vaunted automatic security, the company still needs your help.