Here is why some Google app updates cannot be downloaded on Android 11

When the Pixel 5 and 4a 5G came out, Google also updated a few of its proprietary apps – the camera and recorder, to be precise. But when people with older Pixel phones tried sideloading them on their phones, some encountered a strange INSTALL_FAILED_VERIFICATION_FAILURE error message even though the crypto signature matched and nothing should have been in the way. We quickly found a workaround, but never really understood why the error was appearing in the first place. Thanks to an investigation by our friends at XDA, we now have an idea of ​​the cause of the problem.

While we initially assumed the verification failure was a bug, XDA found evidence that it could be an intentional change. The post looked at the logs associated with the failed verification error while installing Google Camera, which states what is happening:

AppIntegrityManagerServiceImpl: Integrity check of com.google.android.GoogleCamera result: DENY due to [Rule: (PACKAGE_NAME EQ com.google.android.GoogleCamera) AND (VERSION_CODE GTE 32045130) AND (APP_CERTIFICATE EQ F0FD6C5B410F25CB25C3B53346C8972FAE30F8EE7411DF910480AD6B2D60DB83) AND NOT (INSTALLER_NAME EQ com.android.vending), DENY]

We can see that the installation failed because the installer application (“INSTALLER_NAME”) did not match the Play Store (“com.android.vending”), a criterion that was never checked until now. The check was started by the “AppIntegrityManagerServiceImpl”, part of the new “App Integrity” checker from Android. It’s supposed to add another layer of security on top of existing measures (like cryptographic APK signatures) to prevent malicious packets from replacing legitimate apps.

AppIntegrityManagerServiceImpl works on a set of rules provided by Play Services, so you can temporarily bypass the new security controls by uninstalling service updates – the rules are probably not part of the preinstalled version of the services and are not are not ‘not downloaded right away, so there is a time limit where AppIntegrityManagerServiceImpl has no rules to work with, and therefore, it will allow installation from any source. Large parts of the new Integrity Checker are obscured, so there could be more nuance on the subject, but that seems to be the gist of what we’re working with.

XDA assumes that these changes are aimed at preventing users from installing the wrong version of an app on their phones. It is possible to install the wrong DPI variant of an app on your phone which could mess up the interface, and there is at least one instance where you might lose functionality when you install the wrong version of an app, like Live Caption on the Pixel 4.

Google could extend this practice to more of its apps, although at the moment it seems that only apps that have moved to the APK bundle format can be blocked by AppIntegrityManagerServiceImpl, like Google Camera or Recorder.

We still don’t know exactly what the implications of the new Integrity Checker are, but it looks like the proposed workaround still allows most people to reliably load Google apps on Android 11, at least for now. . Since it looks like the verification changes are intentional, it’s possible that future updates will make sideloading system apps even more difficult, and you may not be able to use a workaround at some point.