How Google Might Be Killing Sideloading Apps on Android with the New Google Play Integrity Update
Google’s new Play Integrity API might be a huge threat to sideloading apps on your Android device. Some underlying threats of this new update include blocking sideloading of apps, blocking apps from running on custom ROMs, apps not working on Unlocked Bootloader, or even rooted Android devices. All these thing make Android what it is today.
Imagine if certain programs or banking websites refused to work on your Windows PC because you decided to sideload apps outside of the official Windows Store, or sideloaded Linux on your system.
Google recently posted a blogpost featuring the latest updates coming to its Play Integrity API, which are set to significantly alter how developers and users interact with installing apps on Android. While the changes are positioned as improvements for security, privacy, and performance, they also have implications that may discourage or outright hinder sideloading apps—a characteristic feature of Android’s open ecosystem.
What’s the new Play Integrity API update?
Primarily, the Play Integrity API serves as a safeguard for apps and their users. It enables developers to assess the integrity of devices, accounts, and app installations. It helps prevent issues such as fraud, unauthorized usage, cheating, and data theft. According to Google, apps that leverage this API experience 80% less unauthorized usage compared to those that do not. The new updates to the API bring sweeping changes aimed at making it faster, more secure, and less invasive to user privacy—at least on the surface.
One of the major enhancements is improved performance and privacy. Latency in generating integrity verdicts is expected to decrease by up to 80%, and reliance on Google servers to evaluate device signals will drop by 90%, improving efficiency.
All devices running Android 13 (API level 33) and above will transition to this updated system by May 2025, with developers having the option to adopt the changes earlier. Additionally, the updates leverage Android Platform Key Attestation, a hardware-backed security measure, making it harder and more expensive for attackers to bypass integrity checks. Verdicts can now adapt dynamically to security threats, such as key compromise or excessive suspicious activity, without requiring developer intervention.
Another significant change is the stricter security update requirements. Devices must have a security update within the last year to meet the “meets-strong-integrity” requirement. Apps with higher security demands, such as financial or government applications, benefit from this by ensuring sensitive features are accessible only on secure devices. The updates also introduce standardized and simplified signals, providing enhanced consistency in verdict information for apps installed via Google Play. New device attributes allow apps to differentiate between Android versions and integrity levels, while optional signals, such as the “app access risk verdict,” help detect and mitigate malicious app activities.
Key points provided by Google:
- Purpose of the Play Integrity API:
It helps app developers safeguard their apps from fraud, abuse, and unauthorized usage. It also protects users by identifying suspicious activity. - Enhancements in 2024:
- Improved Performance and Privacy:
The API is being updated for devices with Android 13 and above, making it faster, harder to bypass, and more privacy-friendly.- Latency reduction by ~80%.
- Google server reliance decreased by ~90%.
- Hardware-backed Security:
Using Android Platform Key Attestation for better protection against tampering or spoofing.
- Improved Performance and Privacy:
- New Features:
- Security Update Requirement:
The “meets-strong-integrity” verdict will require devices to have a security update within the last year for Android 13+. - Device Attributes Field:
Apps can tailor behavior based on the device’s Android version and integrity status. - Standardized Verdicts:
Enhanced and consistent information for apps installed via Google Play, including signals like “app access risk verdict” to detect malicious apps. - Implementation Timeline:
- Developers can opt into the new verdicts now.
- The changes will be applied to all integrations automatically by May 2025.
- Security Update Requirement:
- Benefits for Developers:
- Enhanced security for sensitive apps (e.g., banking, enterprise).
- Clear, standardized signals for easier integration and trust management.
How will this affect Sideloading of Apps?
While the Play Integrity API enhancements appear to focus on security and user protection, they introduce several challenges for sideloaded apps. Apps installed outside Google Play, including sideloaded apps, will not benefit from the “enhanced verdicts” that include security signals like “meets-strong-integrity.”
This places sideloaded apps at a disadvantage compared to their Play Store counterparts. Apps requiring “strong integrity” may become inaccessible for sideloaded apps, limiting their usability in certain contexts.
Google’s updates to the Play Integrity API present a classic trade-off: enhancing security and user trust while potentially stifling innovation and limiting user choice. While the improvements undeniably bolster app security, their impact on sideloading raises concerns about the future of Android’s openness.
Moreover, the new system grants developers the ability to outright block their apps from running if they are not downloaded through Google Play. This could be detrimental to users who rely on sideloading for various reasons, such as accessing apps unavailable in their region, using modified versions of apps, or avoiding unnecessary dependencies on Google’s ecosystem. By enabling such blocks, developers can effectively restrict app functionality solely to Play Store installations, leaving users with fewer options and reduced control over their devices.
While Google may suggest that the Play Integrity API update may be primarily for critical apps like banking or payments, it is not necessarily limited to developers of banking or payment apps. Developers of all categories of apps can simply put restrictions on their app as they please.
