How do Android users know whether an app is genuine?
Currently, the best advice is to study the app’s source, but given they can be loaded from three – the Play Store, from a third-party source, or from an offline source – it’s not always as easy to tell as it should be.
Third-party consumer repositories have a poor reputation, so much so that Android disallows downloading from them by default.
Instead, Google recommends people stick to its Play Store, but even here
plenty of malicious apps seem able to wriggle through the supposedly ever-higher security wall thrown up by Google’s Play Protect security.
That leaves offline sources, where large numbers of Android users get their apps in countries with poor or expensive online connectivity.
The APK (Android Package Kit), akin to .exe files on a Windows computer, is the Android file format used to distribute apps.
The problem is that, because users load them from a peer while offline, Android has no way of knowing whether they originated from the Play Store or not, or have been tampered with.
With this problem in mind, Google this week confirmed plans
trailed last year to add a “a small amount of security metadata” to each app APK as a way of confirming it originated in the Play Store.
According to Google Play’s product manager, James Bender,
this means:
....
....
.....