Google is Adding Anti-Tampering DRM To Android Apps in the Play Store

Google has introduced a small change to Play Store apps that could significantly protect several Android users. From a report: Earlier this week, Google quietly rolled out a feature that adds a string of metadata to all APK files (that's the file type for Android apps) when they are signed by the developer. You can't install an application that hasn't been signed during its final build, so that means that all apps built using the latest APK Signature Scheme will have a nice little chunk of DRM built into them. And eventually, your phone will run a version of Android that won't be able to install apps without it.

How will sideloading work?

[b0s0z0ku]

Right now, you can sideload by clicking through a disclaimer. Will you still be allowed to sideload unsigned apps (say, for your own testing)?

What about installing an older version of an app if your version of Android doesn't support the new one? Will this be used to enforce regional restrictions (i.e. Facebook Messenger Lite is much less intrusive than the full Messenger, but isn't available in the US Play Store)?

Yes, only "several" will be protected

[macraig]

And the rest of us must suffer the mighty fist of dictatorial oppression?

Now you know your malware is legitimate.

[NextApp]

This does nothing to solve the malware problem on Android, because the malware is being distributed by "legitimate" vendors directly on the Play Store.

I get complaints of full-screen video ads in my ad-free apps from users who have never side-loaded anything. Malicious apps are launching them from the background, which is against the TOS, but technically trivial to do. If they get caught, they either call it a bug or start another company/product-line.

As far I can tell, Google promotes the highest revenue generating apps...so the dirtier the tactics you use, the more you succeed.

The bad apps do take a beating on reviews from legitimate users, but this is worked around by the developers posting massive quantities of fake reviews. It's presently somewhat easy to spot, legit apps will have reviews that are generally 1-3 sentences long, while fraudulent ones will have pages of 1-3 word reviews (often clustered together). Google doesn't seem to care though, as even some of the most popular apps are doing this to counter backlash from ever more ridiculously aggressive in-app advertising.

And then of course there's the problem that the average app today is so invasive of privacy that it would have been deemed outright malware ten years ago.

Kill switch?

[rsilvergun]

that's why Mozilla started signing apps. It gives them a kill switch in case a plugin author sells their plugin to someone dishonest. There's been a few moderate profile cases of it happening (nothing more than a few hundred thousand users, which sounds like a lot until you realize how many FF users there are).