[ad_1]
Earlier this month, Google announced that it would begin adding metadata to apps downloaded from the Play Store. The metadata serves as proof that an APK file is from the Play Store, which allows devices to verify that the app has not been tampered with. However, there is an increasingly common misconception that this is a form of DRM (Digital Rights Management), which is simply not true.
In many parts of the world, technology is moving faster than the infrastructure that supports it. This is particularly evident in countries like India, where smartphones are the main computer of most people, but cellular networks often can not meet the demand. Google has introduced several applications and products specifically for India and other developing countries to solve these problems.
YouTube Go, for example, not only uses less data than the standard YouTube app, but also allows users to upload videos to someone else via a local connection. This benefits everyone – YouTube is gaining more viewers and users do not need to use more cellular data (often capped and / or expensive in developing countries) than necessary.
In February, it seemed that Google wanted to bring the same logic to the Play Store. A disassembly of the APK revealed the presence of a Peer To Peer "Peer To Peer Application API on Google Play", which would (presumably) transfer applications locally from Google Play. one device to another. Of course, it has long been possible to transfer Android applications to another device. APKs can be easily extracted with the help of a number of third-party applications (ML Manager is one example), and from there you can easily send it to any application / service that supports file transfers. If an internet connection is not readily available, Bluetooth or Wi-Fi Direct will always work.
Your phone can not tell if an app is legitimate or not.
There is a major problem with the installation of applications outside the Play Store: it is impossible for a device to know if the application is legitimate or not. It could have been injected with a tracking code, or a cryptocurrency miner, or full screen ads, and your phone would have no way of knowing it.
Since the first day, Android has had only one method to check if an application is legitimate: the signature. When a developer compiles an Android application, it is "signed" with an encrypted key. However, the signature can not be used as a validation method unless you have something to compare. Think of a normal written signature. If you only see one signature for "Tim Cook", you have no way of knowing if it is Tim Cook's signature. But if you have a signature for Tim Cook and a scan of Tim Cook's signature of Wikipedia, you can tell if the first signature is legitimate or not.
In the same way, your Android device can only use the signature when installing application updates. If the update matches the signature of the original application, it can be installed. The signature is broken if the application is falsified in any way (for example, if someone injects malicious software into an APK for Facebook), but the applications can be recognized. Re-signed apps will not be updated through the Play Store because the signature will not match the actual app, but that's enough for the initial install.
Google's solution to this problem is to add metadata to apps downloaded from the Play Store, so that Android devices can know from the start if the app matches the version found on the Play Store. Here is how the company explains it:
In the future, for applications obtained through Play-approved distribution channels, we will be able to determine the authenticity of the app when a device is offline, add those shared apps to the a user's game library and manage the updates. This will give users more confidence when using Play-approved peer-to-peer sharing apps.
This also benefits you as a developer because it provides an offline Authorized Play distribution channel and, since the peer-shared application is added to your user's Play library, your app will now be eligible for updates. Play app.
In summary, users can be sure that the applications they receive have not been tampered with, and application developers could see an increase in installations (since the transfer of files over a local connection does not incur costs). This will not solve malicious applications with changed package names, but there is really nothing that can be done to fix them.
Shortly after Google's announcement, several media incorrectly labeled Play Store metadata as a form of digital rights management. DRM is an unpleasant word, which could bring back memories of locked music files on iTunes or online games that continually require an internet connection to check the property.
Play Store metadata is a second layer of verification, not a DRM.
The main purpose of DRM is to restrict the use of any application, game, movie or other proprietary / copyright-protected work. ;author. The Play Store metadata that Google adds to APK files does not limit the user: they only serve as a second level of verification in addition to the existing signature of the APK.
Some outlets have come up with the idea that future versions of Android could block applications without the metadata being installed, which would make the Play Store comparable to Apple's "walled garden." There is no evidence that this is true. Google has invested heavily in Play Protect, which is primarily designed to scan applications loaded for both malware. Although the company obviously prefers to download everything from the Play Store, it also makes every effort to make applications from unknown sources as safe as possible.
In summary, the metadata that Google adds to apps in the Play Store are certainly not DRM. It does not limit users as does DRM, and there is no proof that future versions of Android will block applications without it. It could theoretically be used as a starting point for DRM, but in the state, it's just a verification method. You are more than welcome to continue installing hacked apps from a Russian summary website.
Source link