Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Google

Android Apps Can Now Block Sideloading, Force Downloads Through Google Play (androidauthority.com) 56

Android Authority's Mishaal Rahman reports: There are many reasons why you may want to sideload apps on your Android phone, but there are also good reasons why developers would want to block sideloading. A sideloaded app won't contribute to the developer's Play Store metrics, for one, but it also prevents the developer from curating which devices can use their app. Improperly sideloaded apps can also crash due to missing assets or code, or they might be missing certain features because you installed the wrong version for your device. Whatever the reason may be, developers who want to stop you from sideloading their apps now have an easier way to do so thanks to the Play Integrity API.

The Google Play Integrity API is an interface that helps developers "check that interactions and server requests are coming from [their] genuine app binary running on a genuine Android device." It looks for evidence that the app has been tampered with, that the app is running in an "untrustworthy" software environment, that the device has Google Play Protect enabled, and more. If you've heard of or dealt with SafetyNet Attestation before on a rooted phone, then you're probably already familiar with Play Integrity, even if not by that name. Play Integrity is the successor to SafetyNet Attestation, only it comes with even more features for developers.

As is the case with SafetyNet Attestation, developers call the Play Integrity API at any point in their app, receive what's called an integrity verdict, and then decide what they want to do from there. Some apps call the Play Integrity API when they launch and block access entirely depending on what the verdict is, while others only call the API when you're about to perform a sensitive action, so they can warn you that you shouldn't proceed. The Play Integrity API makes it easy for apps to offload the determination of whether the device and its software environment are "genuine," and with the latest update to the API, apps can now easily determine whether the person who installed them is "genuine" as well.
"As Google continues to bolster Play Integrity's detection mechanisms and add new features, it's going to become harder and harder for power users to justify rooting Android," concludes Rahman. "At the same time, regular users will be better protected from potentially risky and fraudulent interactions, so it's clear that Play Integrity will continue to be adopted by more and more apps."
This discussion has been archived. No new comments can be posted.

Android Apps Can Now Block Sideloading, Force Downloads Through Google Play

Comments Filter:
  • by Anonymous Coward

    I bet that this isn't going to be approved by EU

    • Re:I bet that (Score:5, Interesting)

      by Xenx ( 2211586 ) on Wednesday September 11, 2024 @05:38PM (#64781679)
      At least from the summary, I don't see why it shouldn't be approved. It would be up to the app maker whether to use it or not. If they want to operate on third party markets, they just wouldn't use it.
      • by Anonymous Coward

        It looks like Google is going to make it default for everyone

        • by Xenx ( 2211586 )
          The article, and Googles documentation, says it's on the dev whether to call the API or not. It's also on the devs to decide what, if anything, will be done based on the results.
      • It will be misused to kill old and small devices. My two years old Nvidia tv already require me to side load half of the apps because they dont whitelist it

        • by Xenx ( 2211586 )
          That isn't a Google problem. That is an issue with the devs not supporting devices. I'm not say the problem doesn't still suck for the end user, but it doesn't sound like something that would bring Google afoul of anything.
          • The device is still supported and sold. The Apps are not tested on it, so they dont go on the whitelist. The problem is that it is an f'ing white list. (and in this case that NVidia has two devices with the same name, but different IDs, so they only test and whitelist one).

            • by Xenx ( 2211586 )
              Google Play defaults to permissive, with devices being excluded. If the app isn't available on the device, it means the devs chose, intentionally or not, to disallow that device.
    • Re: (Score:2, Informative)

      by Luckyo ( 1726890 )

      I bet EU will not just approve it, but then require Telegram to block usage of the native APK version you can get from Telegram's website in favor of massively censored Play Store version.

      Because direction here is toward PRC style totalitarian information control, not away from it.

  • Google Play License Check (permission) has existed for over a decade and, surprise! it does exactly that with a little bit of extra code. Not sure why Google needed to invent something else.

    People who really want/need to sideload apps will strip both of these protections regardless.

    • Re: Oh, really? (Score:5, Interesting)

      by pitch2cv ( 1473939 ) on Wednesday September 11, 2024 @05:44PM (#64781697)

      People who really want/need to sideload apps will strip both of these protections regardless

      Actually, we don't strip 'em, we fake 'em. See MicroG, https://microg.org/ [microg.org] My AOSP-based ROM comes with MicroG so we get to run banking apps, for example, and all the other fun stuff, without Google anywhere near.

      • Faking will only work for custom ROMs without Google's own GSF and not that many people run customs ROMs.

        TBO I believe the number of people using custom Android ROMs has decreased tenfold over the last decade. You can see it in the extremely diminished activity in the related topics on XDA Developers.

        • Re: Oh, really? (Score:4, Informative)

          by thegarbz ( 1787294 ) on Thursday September 12, 2024 @03:10AM (#64782427)

          Faking will only work for custom ROMs without Google's own GSF and not that many people run customs ROMs.

          Does it? I don't run a custom ROM, but I do have MicroG installed as it is used to "fake" a lot of required interactions to make my modified Youtube app work - adblocking on the app level, not on the OS / network level.

        • Actually it doesn't. Play Integrity (and SafetyNet before it) use the device's TPM and trusted hypervisor to execute Play Services' payload code inside an isolated environment that even root can't mess with. (Think Apple's Secure Enclave.) That code also generates the signature that gets validated by Google's servers before the app developer gets their hands on it. Currently, unless you have a device with a known hardware implementation flaw in the secure environment, and it hasn't been blocked by Google's
      • Thank you. That is the main thing stopping me from going with LineageOS or some AOSP variant.

        Now, if we can get xPrivacy back so apps can be fed bogus data if they ask for all permissions under the sun, life will be good.

  • Total BULLSHIT (Score:5, Interesting)

    by darkain ( 749283 ) on Wednesday September 11, 2024 @05:40PM (#64781683) Homepage

    Its policies like these that are total BULLSHIT.

    I recently took a trip to Japan from the USA with my Pixel 8 phone. Guess what? No Pixel phone works in Japan with their tap system for mass transit without either rooting the phone and modifying these APIs, or by using a Japanese native Pixel phone.

    The non-Japanese phones are capable, but require sideloading and some low level modifications to enable the hardware that is already available within the phone. This new service will most likely block even THAT from working now.

    Thanks, Google... you're really preventing bad actors from... *checks notes*... riding the fucking Train in Japan via your smart phones.

    • Re:Total BULLSHIT (Score:5, Informative)

      by hjf ( 703092 ) on Wednesday September 11, 2024 @06:22PM (#64781821) Homepage

      This is a matter of licensing. Japan, with their exceptionalism, needed to invent their own flavor of NFC called FeLiCa, which needs to pay royalties to Sony. Apple just bites the bullet and pays it for every iPhone. Android manufacturers save a couple cents and only pay the fee for JDM phones.

      You seem very offended by this, but not by the fact that your pixel phone, like mine, started making shutter sounds in Japan with no ability to turn the noise off, even though it wasn't a JDM phone (and there is NO law in japan requiring this behavior, it's just a "gentlemen's agreement" between manufacturers.

      • by AmiMoJo ( 196126 )

        At least the Pixel "shutter" sound is just a sort of paper shuffling noise, not a big angry clunk. I leave mine on as I like the audible feedback, but it's so quiet that it's often inaudible outdoors anyway.

        I side load Japan-only apps like the Hard-Off one. I'd load it through Play, but it won't let you even if you are in Japan, if your account location is set to somewhere else. Changing account location is not trivial. Hopefully I won't be affected, but I'm sure there will be a way to patch affected apps a

      • by _merlin ( 160982 )

        Felica predates the standard for NFC smartcards - it's that first mover disadvantage, where the eventual standard may be incompatible with what you roll out. It isn't exclusive to Japan, though. The Hong Kong Octopus NFC card used for public transport and paying for various other things is Felica as well. There's a big cost if you want to replace one of these systems. It's kind of like how the US justified their mobile phones being incompatible with the rest of the world for so long.

  • > "As Google continues to bolster Play Integrity's detection mechanisms and add new features, it's going to become harder and harder for power users to justify rooting Android," concludes Rahman. "At the same time, regular users will be better protected from potentially risky and fraudulent interactions, so it's clear that Play Integrity will continue to be adopted by more and more apps." Uh, or power users just won't use android.
    • by Rinnon ( 1474161 )

      Uh, or power users just won't use android.

      Honest question... what will they use?

      • The shitty apps that will require this to harvest as much data as possible? Nope, they won't be used. Opens up a lot of markets for devs who aren't complete gold diggers though.

        Probably it will also be the fart app that requires full permissions to everything on the phone just so you can poke the screen and it makes a generic fart sound too.

      • I've decided to try SailfishOS on my next phone in response to Google making rooting harder and more inconvenient with every successive Android version.

  • RT and others are censored from the Play Store version of Telegram, for example. This seems like a bad option for that reason, depending on the type of app
  • by gweihir ( 88907 ) on Wednesday September 11, 2024 @06:23PM (#64781831)

    They do not want me to side-load? Wish granted. I will not load their crap at all.

    • That's nice virtue signaling, but the reality is if you're interested in an app enough to consider side loading it, then you will actually be annoyed if it were to be blocked. It's easy to pretend not to care if it is a situation which you haven't found yourself in yet.

  • by sixsixtysix ( 1110135 ) on Wednesday September 11, 2024 @06:39PM (#64781875)
    Oh you mean, "you can't use this functional application that you bought 6 years ago,
    but please buy our new version, that will work with your newer device."
    Good old manufactured obsolescence.
  • by msk ( 6205 ) on Wednesday September 11, 2024 @07:41PM (#64781991)

    Niantic refuses to let their original flagship game, Ingress, run on the arguably-more-secure-than-stock-Android GrapheneOS. It is not rooted, nor is rooting offered as an option.

    Pokémon Go and their others are expected to follow suit.

    • by Anonymous Coward

      That's kinda what this smells of, some tiny fraction of a percent of people who aren't obeying the "mobile" cash whoring party line, they're running "insecure" environments that don't secure p2w freemium cash shop gacha etc type revenue streams.

      It is absolutely unacceptable that you have the neon angry bird without buying the $4.59 skin. We will block un-blessed installs of Angry Birds, somehow. You WILL give us real uncopied money for imaginary property.

  • by schwit1 ( 797399 ) on Wednesday September 11, 2024 @09:48PM (#64782165)

    Doesn't this just turn android into a walled garden like Apple?

  • bites the dust. Android should be abandoned, replaced by clean GNU/Linux. Too much of our freedom on our device is taken away bit by bit.
  • by NotEmmanuelGoldstein ( 6423622 ) on Thursday September 12, 2024 @12:56AM (#64782317)

    ...power users to justify rooting Android ...

    Translation: We're planning on disabling your phone that we can't control, as much as possible.

    I have modified an APK, removing 22MB of photos I don't want from a 26MB applet. Then the developer included an integrity check meaning the no-fluff version would not start. My choices are, use a no-fluff, old version, or use the memory-clogging, latest version.

  • Typing adb install from a CLI takes two seconds to install an app. So much easier than wasting time fumbling around with web pages or store apps on a tiny phone.

    Regarding "SafetyNet" it is unsafe to run android with Google play malware or without firewalling apps. The only reason for this type of check in the first place is facilitating app store lockin.

  • It can be easily detected whether an app was installed through the Play Store, and an appropriate action taken, if one were so inclined. I don't submit my app to 3rd party app stores, but I do allow it to run if it was installed through one, or through sideloading. I don't mind the Chinese using the app, probably the biggest market where Play Store is not available.

    What I don't allow are reverse-engineered copies of my app, recognizable because they're not signed with my developer certificate. Those mostly

  • I only use one app on my phone: The browser. Almost everything I need to do can be done from the browser. And it seems far easier than having a giant list of crap on my phone I don't go to very often.
  • They make ridiculous asks so they can settle on bigger compromises that don't seem "as bad". It's a game to them. If they could make users pay for every electron and every breath they took, they would.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...