In developing countries, mobile data is often expensive — not to mention tough to come by. That’s why peer-to-peer software sharing apps, which enable smartphones to transfer updates and files offline via Bluetooth or ad hoc Wi-Fi connections, have proliferated. But they’re not a particularly secure way of doing business — without internet-connected malware-scanning tools to fall back on (except for Google Play Protect), you have to take offline hosts at their words. It’s an unattractive proposition considering that, according to Google, Android devices that download apps from third-party sources are 9 times more likely to be compromised.
That’s why Google late last year introduced a new information layer for Android app files (APKs) — security metadata — that lets devices quickly determine whether an app has been modified or manipulated in any way, even offline. Starting today, offline peer-to-peer installs are launching in beta.
Developers don’t need to lift a finger. When a user shares an app via partner tools like SHAREit, Google Play — Android’s app store — will be able to determine its authenticity by reading a portion of the APK Signing Block, and even add shared apps to a user’s library. Additionally, it’ll manage app updates when the device comes back online.
“This will give users more confidence when using Play-approved peer-to-peer app beta partners,” wrote James Bender, product manager for Google Play, in a blog post. “This is an important step that improves the integrity of Google Play’s mobile app ecosystem. Offline Play peer-to-peer sharing presents a new distribution opportunity for developers while helping more people keep their apps up to date.”
The announcement follows on the heels of Google Play security enhancements Google announced in December 2017, which saw a migration from 32-bit apps and libraries to 64-bit and new requirements around recent Android API levels.
In March, Google released its Android Security 2017 Year in Review, which revealed that 60.3 percent of potentially harmful apps (PHAs) were detected via machine learning. Detection is performed by Google Play Protect, a service enabled on over 2 billion devices (running Android 4.3 and up) that automatically reviews more than 50 billion apps each day.
Play Protect’s reviews led to the removal of nearly 39 million PHAs in 2017, Google said.