I have read the post titled 'Improving app security and performance on Google Play for years to come'.
In that article, I would like to ask about below the sentence. "Additionally, in early 2018, Play will start adding a small amount of security metadata on top of each APK to further verify app authenticity."
Does it mean the above description is 'APK Signature Scheme v2'. If so, when I have signed it as selecting 'V2 (full APK signature)' is it created the final APK?
In other word, If I create a certain APP in the above way and upload it, will end users download and install it without any changes?
Otherwise, I have questions about "Adding a small amount into "APK Signing Block"".
Could it affect previous APP which don't include new security metadata?
Does Google put this metadata when the application APK uploaded to Play Store? My question is at what point is the security metadata inserted into APK?
'Generated Signed APK' Capture Image:
The Data safety section on Google Play is a simple way for you to help people understand what user data your app collects or shares, as well as showcase your app's key privacy and security practices. This information helps users make more informed choices when deciding which apps to install.
As to points: Does your app collect or share any of the required user data types? Definitely yes. There is an option later - Ephemeral processing - that says that it is being only used real-time and is not collected for a longer.
Data used by Play services is mostly cached data for these APIs, duplicated data of Android wear apps synched with your phone and some kind of search index. If you delete this data, chances are Google Play services will just recreate it. But you won't delete any of your personal data by deleting Play services data.
According to this blog post from June 2018 the authenticity data are already added to apps:
We are now adding a small amount of security metadata on top of APKs to verify that the APK was distributed by Google Play.
The authenticity data is placed at the same point in the ZIP/APK file as the Signature v2 block - after the zipped content and before the ZIP central directory. This does not necessarily means that the authenticity data require an v2 signature - both are just injected data blocks.
However I have not dissected an downloaded APK file to see if it really has this authenticity data included. It also seems that the necessary tools for verifying this data has not been released yet (or did I miss them?).
Google can add this metadata on Play Store side - whether when the app is uploaded, downloaded are some time between. Therefore even old apps can be equipped with this feature - if Google will do so? We will see.
Adding further data to an APK that has an v1 sig only is simple, because v1 signature only covers the content of the zipped files, not the ZIP structure itself. For v2 the situation is similar: it covers the zipped content including the ZIP entry headers, the central directory and the directory end (see here for hasing details). The signature does not cover the ZIP header or the data between the last content entry and the start of the central directory. Therefore Google can add further data before or after the APK Signing Block without invalidating the signature.
Your question is actually found in comments
If Google can add staff to the file without affecting the signature, then what stops from everyone else inject same metadata to a file and makes Google play beleive this is an apk came from the play console?
They are going to add some encrypted signature and will verify the signature through Google Play Services before installing the app whether the APK is downloaded from the Google Play Store or not.
In the article they also mentioned that
You do not need to take any action for this change.
Answering about source of information and delivering apps outside of Google Play
Referred to the Terms of Service https://play.google.com/intl/en-us_us/about/play-terms.html
Malware protection. To protect you against malicious third party software, URLs, and other security issues, Google may receive information about your Device's network connections, potentially harmful URLs, the operating system, and apps installed on your Device through Google Play or from other sources. Google may warn you if it considers an app or URL to be unsafe, or Google may remove or block its installation on your Device if it is known to be harmful to devices, data or users. You can choose to disable some of these protections in the settings on your Device, however, Google may continue to receive information about apps installed through Google Play, and apps installed on your Device from other sources may continue to be analyzed for security issues without sending information to Google.
Android 7.0 now shows if an APK was installed from the Play Store or another source.
Credit: https://www.androidpolice.com/2016/07/18/android-7-0-now-shows-if-an-apk-was-installed-from-the-play-store-or-another-source/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With