Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Marks APKs Distributed by Google Play

Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.

Google this week announced that it is adding a small amount of security metadata on top of APKs distributed by Google Play in order to verify their authenticity.

Initially announced in December 2017, the new change is designed to verify product authenticity from Google Play and is accompanied by an adjusted Google Play maximum APK size to take into account the small metadata addition.

The metadata is meant to work similarly as the official labels or badges that manufacturers place on physical products to mark their authenticity. The metadata will signify Play’s badge of authenticity for all Android apps distributed through the official marketplace.

“One of the reasons we’re doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity,” James Bender, Product Manager, Google Play, says.

According to Bender, the new “badge” will help determine the app authenticity for apps obtained through Play-approved distribution channels when the device is offline. These shared apps will be added to a Play Library and app updates management will be possible when the device has connectivity.

“This will give people more confidence when using Play-approved peer-to-peer sharing apps,” he notes.

Developers are also expected to benefit from this change, not only because a Play-authorized offline distribution channel will be available for them, but also because, once the peer-to-peer shared apps are added to the Play library, they become eligible for updates from Play.

Google says no action is required from the developers or from the users of their applications. The small metadata addition is inserted into the APK Signing Block and is expected to improve the integrity of Google Play’s mobile app ecosystem.

Beginning in August 2018, developers will need to target API level 26 (Android 8.0) or higher with their new apps. Starting November this year, app updates will have to comply to this requirement as well. Existing applications that don’t receive updates won’t be affected by these changes.

Related: Safe Browsing Now On by Default on Android

Related: Google Turns TLS on By Default on Android P

Related: 700,000 Bad Android Apps Removed From Google Play in 2017

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...


Pig Butchering, also known as Sha Zhu Pan and CryptoRom, is an ugly name for an ugly scam.