Google lays groundwork for secure offline app distribution

Get a copy of the upcoming book "Secure Operations Technology"

Google will start adding security metadata to Android application packages (APKs) distributed via Google Play, so that users with limited internet access can check whether the apps they get via peer-to-peer app sharing are legitimate.

APK security metadata

The move, announced late last year, is part of a wider push for improving app security and will surely benefit a lot of users.

“Often when you buy a physical product, you’ll find an official label or a badge which signifies the product’s authenticity. The metadata we’re adding to APKs is like a Play badge of authenticity for your Android app,” Google explained.

To usher this change Google will adjust Play’s maximum APK size to take into account the metadata addition, which is inserted into the APK Signing Block.

“One of the reasons we’re doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity,” noted James Bender, Product Manager at Google Play.

“In the future, for apps obtained through Play-approved distribution channels, we’ll be able to determine app authenticity while a device is offline, add those shared apps to a user’s Play Library, and manage app updates when the device comes back online. This will give people more confidence when using Play-approved peer-to-peer sharing apps.”

Developers don’t need to do anything: the metadata will be added to their apps seamlessly via Google Play.