Android Apps Can Now Block Sideloading, Force Downloads Through Google Play (androidauthority.com) 56
Android Authority's Mishaal Rahman reports: There are many reasons why you may want to sideload apps on your Android phone, but there are also good reasons why developers would want to block sideloading. A sideloaded app won't contribute to the developer's Play Store metrics, for one, but it also prevents the developer from curating which devices can use their app. Improperly sideloaded apps can also crash due to missing assets or code, or they might be missing certain features because you installed the wrong version for your device. Whatever the reason may be, developers who want to stop you from sideloading their apps now have an easier way to do so thanks to the Play Integrity API.
The Google Play Integrity API is an interface that helps developers "check that interactions and server requests are coming from [their] genuine app binary running on a genuine Android device." It looks for evidence that the app has been tampered with, that the app is running in an "untrustworthy" software environment, that the device has Google Play Protect enabled, and more. If you've heard of or dealt with SafetyNet Attestation before on a rooted phone, then you're probably already familiar with Play Integrity, even if not by that name. Play Integrity is the successor to SafetyNet Attestation, only it comes with even more features for developers.
As is the case with SafetyNet Attestation, developers call the Play Integrity API at any point in their app, receive what's called an integrity verdict, and then decide what they want to do from there. Some apps call the Play Integrity API when they launch and block access entirely depending on what the verdict is, while others only call the API when you're about to perform a sensitive action, so they can warn you that you shouldn't proceed. The Play Integrity API makes it easy for apps to offload the determination of whether the device and its software environment are "genuine," and with the latest update to the API, apps can now easily determine whether the person who installed them is "genuine" as well. "As Google continues to bolster Play Integrity's detection mechanisms and add new features, it's going to become harder and harder for power users to justify rooting Android," concludes Rahman. "At the same time, regular users will be better protected from potentially risky and fraudulent interactions, so it's clear that Play Integrity will continue to be adopted by more and more apps."
The Google Play Integrity API is an interface that helps developers "check that interactions and server requests are coming from [their] genuine app binary running on a genuine Android device." It looks for evidence that the app has been tampered with, that the app is running in an "untrustworthy" software environment, that the device has Google Play Protect enabled, and more. If you've heard of or dealt with SafetyNet Attestation before on a rooted phone, then you're probably already familiar with Play Integrity, even if not by that name. Play Integrity is the successor to SafetyNet Attestation, only it comes with even more features for developers.
As is the case with SafetyNet Attestation, developers call the Play Integrity API at any point in their app, receive what's called an integrity verdict, and then decide what they want to do from there. Some apps call the Play Integrity API when they launch and block access entirely depending on what the verdict is, while others only call the API when you're about to perform a sensitive action, so they can warn you that you shouldn't proceed. The Play Integrity API makes it easy for apps to offload the determination of whether the device and its software environment are "genuine," and with the latest update to the API, apps can now easily determine whether the person who installed them is "genuine" as well. "As Google continues to bolster Play Integrity's detection mechanisms and add new features, it's going to become harder and harder for power users to justify rooting Android," concludes Rahman. "At the same time, regular users will be better protected from potentially risky and fraudulent interactions, so it's clear that Play Integrity will continue to be adopted by more and more apps."
I bet that (Score:1)
I bet that this isn't going to be approved by EU
Re:I bet that (Score:5, Interesting)
Re: (Score:1)
It looks like Google is going to make it default for everyone
Re: (Score:3)
Re: (Score:2)
Re: I bet that (Score:2)
It will be misused to kill old and small devices. My two years old Nvidia tv already require me to side load half of the apps because they dont whitelist it
Re: (Score:2)
Re: (Score:2)
The device is still supported and sold. The Apps are not tested on it, so they dont go on the whitelist. The problem is that it is an f'ing white list. (and in this case that NVidia has two devices with the same name, but different IDs, so they only test and whitelist one).
Re: (Score:2)
Re: (Score:2, Informative)
I bet EU will not just approve it, but then require Telegram to block usage of the native APK version you can get from Telegram's website in favor of massively censored Play Store version.
Because direction here is toward PRC style totalitarian information control, not away from it.
Oh, really? (Score:2)
Google Play License Check (permission) has existed for over a decade and, surprise! it does exactly that with a little bit of extra code. Not sure why Google needed to invent something else.
People who really want/need to sideload apps will strip both of these protections regardless.
Re: Oh, really? (Score:5, Interesting)
People who really want/need to sideload apps will strip both of these protections regardless
Actually, we don't strip 'em, we fake 'em. See MicroG, https://microg.org/ [microg.org] My AOSP-based ROM comes with MicroG so we get to run banking apps, for example, and all the other fun stuff, without Google anywhere near.
Re: (Score:3)
Faking will only work for custom ROMs without Google's own GSF and not that many people run customs ROMs.
TBO I believe the number of people using custom Android ROMs has decreased tenfold over the last decade. You can see it in the extremely diminished activity in the related topics on XDA Developers.
Re: Oh, really? (Score:4, Informative)
Faking will only work for custom ROMs without Google's own GSF and not that many people run customs ROMs.
Does it? I don't run a custom ROM, but I do have MicroG installed as it is used to "fake" a lot of required interactions to make my modified Youtube app work - adblocking on the app level, not on the OS / network level.
Re: (Score:2)
Re: (Score:2)
Thank you. That is the main thing stopping me from going with LineageOS or some AOSP variant.
Now, if we can get xPrivacy back so apps can be fed bogus data if they ask for all permissions under the sun, life will be good.
Total BULLSHIT (Score:5, Interesting)
Its policies like these that are total BULLSHIT.
I recently took a trip to Japan from the USA with my Pixel 8 phone. Guess what? No Pixel phone works in Japan with their tap system for mass transit without either rooting the phone and modifying these APIs, or by using a Japanese native Pixel phone.
The non-Japanese phones are capable, but require sideloading and some low level modifications to enable the hardware that is already available within the phone. This new service will most likely block even THAT from working now.
Thanks, Google... you're really preventing bad actors from... *checks notes*... riding the fucking Train in Japan via your smart phones.
Re:Total BULLSHIT (Score:5, Informative)
This is a matter of licensing. Japan, with their exceptionalism, needed to invent their own flavor of NFC called FeLiCa, which needs to pay royalties to Sony. Apple just bites the bullet and pays it for every iPhone. Android manufacturers save a couple cents and only pay the fee for JDM phones.
You seem very offended by this, but not by the fact that your pixel phone, like mine, started making shutter sounds in Japan with no ability to turn the noise off, even though it wasn't a JDM phone (and there is NO law in japan requiring this behavior, it's just a "gentlemen's agreement" between manufacturers.
Re: (Score:2)
At least the Pixel "shutter" sound is just a sort of paper shuffling noise, not a big angry clunk. I leave mine on as I like the audible feedback, but it's so quiet that it's often inaudible outdoors anyway.
I side load Japan-only apps like the Hard-Off one. I'd load it through Play, but it won't let you even if you are in Japan, if your account location is set to somewhere else. Changing account location is not trivial. Hopefully I won't be affected, but I'm sure there will be a way to patch affected apps a
Re: (Score:2)
Felica predates the standard for NFC smartcards - it's that first mover disadvantage, where the eventual standard may be incompatible with what you roll out. It isn't exclusive to Japan, though. The Hong Kong Octopus NFC card used for public transport and paying for various other things is Felica as well. There's a big cost if you want to replace one of these systems. It's kind of like how the US justified their mobile phones being incompatible with the rest of the world for so long.
Re: (Score:2)
#AndroidProblems
Bet the iPhone works flawlessly.
Of course it does. You pay for the privilege of the iPhone working. Literally - Apple pay a license to Sony to make this work in Japan and they pass the cost on to you, the user, regardless if you even know where Japan is on the map.
Sure, Jan (Score:2)
Re: (Score:2)
Uh, or power users just won't use android.
Honest question... what will they use?
Re: (Score:2)
The shitty apps that will require this to harvest as much data as possible? Nope, they won't be used. Opens up a lot of markets for devs who aren't complete gold diggers though.
Probably it will also be the fart app that requires full permissions to everything on the phone just so you can poke the screen and it makes a generic fart sound too.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I've decided to try SailfishOS on my next phone in response to Google making rooting harder and more inconvenient with every successive Android version.
Play Store apps are censored (Score:2)
Also provides a nice "stay away" list (Score:4, Insightful)
They do not want me to side-load? Wish granted. I will not load their crap at all.
Re: (Score:2)
That's nice virtue signaling, but the reality is if you're interested in an app enough to consider side loading it, then you will actually be annoyed if it were to be blocked. It's easy to pretend not to care if it is a situation which you haven't found yourself in yet.
it also prevents the developer from curating (Score:3)
but please buy our new version, that will work with your newer device."
Good old manufactured obsolescence.
Niantic to embrace this in 3, 2, 1 . . . (Score:4, Interesting)
Niantic refuses to let their original flagship game, Ingress, run on the arguably-more-secure-than-stock-Android GrapheneOS. It is not rooted, nor is rooting offered as an option.
Pokémon Go and their others are expected to follow suit.
Re: (Score:1)
That's kinda what this smells of, some tiny fraction of a percent of people who aren't obeying the "mobile" cash whoring party line, they're running "insecure" environments that don't secure p2w freemium cash shop gacha etc type revenue streams.
It is absolutely unacceptable that you have the neon angry bird without buying the $4.59 skin. We will block un-blessed installs of Angry Birds, somehow. You WILL give us real uncopied money for imaginary property.
What does this mean for deGoogled phones? (Score:3)
Doesn't this just turn android into a walled garden like Apple?
Another freedom (Score:2)
This was foreseeable and foreseen. (Score:4, Informative)
Stallman was right as usual.
A phone Google can't control (Score:3)
Translation: We're planning on disabling your phone that we can't control, as much as possible.
I have modified an APK, removing 22MB of photos I don't want from a 26MB applet. Then the developer included an integrity check meaning the no-fluff version would not start. My choices are, use a no-fluff, old version, or use the memory-clogging, latest version.
Re: (Score:2)
Re:A phone Google can't control - RE (Score:2)
Side loading is so much easier (Score:2)
Typing adb install from a CLI takes two seconds to install an app. So much easier than wasting time fumbling around with web pages or store apps on a tiny phone.
Regarding "SafetyNet" it is unsafe to run android with Google play malware or without firewalling apps. The only reason for this type of check in the first place is facilitating app store lockin.
No need to use a Google API for that (Score:2)
It can be easily detected whether an app was installed through the Play Store, and an appropriate action taken, if one were so inclined. I don't submit my app to 3rd party app stores, but I do allow it to run if it was installed through one, or through sideloading. I don't mind the Chinese using the app, probably the biggest market where Play Store is not available.
What I don't allow are reverse-engineered copies of my app, recognizable because they're not signed with my developer certificate. Those mostly
One app (Score:1)
Google intentionally commits absurd violations (Score:2)