Google is Adding Anti-Tampering DRM To Android Apps in the Play Store

Google has introduced a small change to Play Store apps that could significantly protect several Android users. From a report: Earlier this week, Google quietly rolled out a feature that adds a string of metadata to all APK files (that's the file type for Android apps) when they are signed by the developer. You can't install an application that hasn't been signed during its final build, so that means that all apps built using the latest APK Signature Scheme will have a nice little chunk of DRM built into them. And eventually, your phone will run a version of Android that won't be able to install apps without it.

Good idea

[SuperKendall]

The article is dismissive of the direction this is heading, but in a world where 99% of the people using a mobile device simply have no ability to manage digital security, you just can't continue to allow people to install something from anywhere.

As a technical user I absolutely want there to be way more open options where people with technical ability have a lot of freedom as to what they can do, and I'm sure some Android devices will continue to provide that. But the world also absolutely needs Apple-level closed off system like the App Store that protects people who cannot protect themselves from remote exploitation and harm.

Re: Good idea

This doesn't do any of that. It just makes it more difficult to install an app that the original developer hasn't signed off on.

Re:Good idea

[b0s0z0ku]

So hide the ability to install unsigned or non-Play-Store apps, but don't prevent it entirely. Hiding it in Developer Options after a big, fat disclaimer should be enough, frankly.

And no, the world doesn't need more Crapple-style paternalism where a bunch of do-gooding censoring pricks in Cupertino decide which apps are good enough for users to run. It's not only safety-based -- Apple has been known to ban political games or things which they find to be in poor taste.

Re:Good idea

[WaffleMonster]

The article is dismissive of the direction this is heading, but in a world where 99% of the people using a mobile device simply have no ability to manage digital security, you just can't continue to allow people to install something from anywhere.

Of course you can. It's done by creating operating systems not full of swiss cheese escalation vulnerabilities and giving users meaningful access controls that never devolve into take it or leave it demands of software.

Google refuses because it eats into profits of themselves and app developers. God forbid a user is able to feed fake location, address book and phone data into malware they downloaded from Google play store or restrict access to resources... App developers would riot. Owning users is the business model of the everything must be FREE app store market.

As a technical user I absolutely want there to be way more open options where people with technical ability have a lot of freedom as to what they can do, and I'm sure some Android devices will continue to provide that.

Damn straight!! The peasant class doesn't deserve no stinking freedom. They can't handle it. All Hail King Alphabet ruler of all teh Intertubes.

But the world also absolutely needs Apple-level closed off system like the App Store that protects people who cannot protect themselves from remote exploitation and harm.

Good grief, let me know when all the malware in the Google app store is gone. Really perverse aspect of these arguments is the failure to understand app stores themselves are responsible for creating "race to the bottom" market incentive that only fuels development of malware and resulting 0wnage of millions of users.

This is nothing more than being as evil as possible for financial gain while blurting out "SECURITY" as justification for everything. No different than Facebook saying it needs to do cross site tracking of everyone everywhere in order to protect Facebook.

The ONLY problem is proliferation of defective operating system jails and associated access controls.

Re: Good idea

[bluelip]

It's not about security. Google is doing this to lock-in users to their ecosystem. They realize users are starting to look elsewhere for software because of the privacy issues. This step is about adding another course to the wall around the garden rather than protecting any user.

Re:How will sideloading work?

google is trying to wall the garden in like apple (has mostly been able to do).

soon only approved and signed software of any kind will run.

rooting your device will be a thing of the past.

side loading will be a thing of the past.

as google pushes more for delivering updates themselves instead of relying on hardware or carrier partners, expect the (forced upon you) updates to kill any hacking or rooting you've done or 'unauthorized' apps you've managed to install.

having any control of any kind over YOUR hardware will be over.

developers will probably be able to purchase a dev kit to run apps they, and only they, are working on.

expect a similar treatment for chrome browser and chromebooks.

Re:How will sideloading work?

[110010001000]

Expect a similar treatment for ALL COMPUTERS and devices connected to the Internet. Don't think it will happen? Just wait.

Re:Yes, only "several" will be protected

[b0s0z0ku]

The problem is when all of the large device makers end up cramming this filth down their users' gullets.

Re:Self-fulfilling idio(crac)y!

[Computershack]

The only reason people behave so damn retarded with regard to computers ... and I mean on a level that qualifies as literally mentally disabled ... is because tech firms have treated people like non-independent retards until they were.

No, its because there are millions of people using computers today who just 25 years ago wouldn't have the basic knowledge to even work out how to put the system they'd bought together, let alone how to get online. Once upon a time using a computer required a reasonable amount of technical knowledge or at least an IQ sufficient enough to learn.

Re:Not DRM

Except this is pointless unless your intent is to require that all signers be pre-approved in the future. Otherwise it's just checking that the signature that's on the apk data, matches a key that was also in the same apk. See the part about the digests must match the signers in the apk here. Also, nice chopping up of the ZIP format again, that's not going to cause parsing bugs anywhere now is it?

Malware still spreads with this, the only difference is that it's not able to claim itself as another package. Which malware authors already can't do easily, and wouldn't want to anyway. Less the Play Store "updates" the malware infested app with the legitimate one thus removing the malware.

As I already said, the only thing this is good for is a future requirement of the signer's identity being pre-approved before installation. Such a scheme is ripe for abuse, I can easily see more repressive regimes around the world mandating only their lists be allowed. Nevermind US carriers wanting to demand the same to help lock in profits. I.e. No more tethering app for you. It is DRM, it's just not fully baked yet.