Android: does this mean the end of sideloading apps is getting closer?

This looks bad particularly for those on custom roms who do use Aurora Store (for example) to install apps available in Play Store.

I haven’t dug to this further so I would appreciate if you have some deeper insight to this and would like to share it here.

4 Likes

Sounds like it’s aimed at the app developers themselves who may not want their apps to be sideloaded rather than a blanket ban on sideloading in general as an option to enhance the protection against it being possible - if google wanted to prevent sideloading anything at all, it would be significantly easier for them than implementing checks like this.

Ultimately it seems like your feelings about it will depend on whether or not you believe an app developer has the right to determine how their software is used, or if once they’ve built and released it it belongs to the world to do what they want with it.

6 Likes

Yeah I don’t see this as an end to sideloading which really wouldn’t make sense considering Apple was forced by the EU earlier to allow sideloading on the Iphone. Google would have to leave it available for the EU market or face the same type of suite.

I think this is developers wanting to make sure they get the appropriate funds for their work. At least that is how I see it presented

5 Likes

I do personally rely on a few applications on my custom rom that are only available on Play Store that I install via Aurora.

If the developers of these apps start implementing this Google Play Integrity API, that would be a major drawback for me.

To me, that would, in practice, mean the end of sideloading.

I’ll have to a have a second Google Android Only device to have access to these apps. Something, just the though of which, makes me feel a bit sick.

1 Like

To my knowledge, Aurora downloads the APKs directly from Google, through a nondescript account that isn’t linked to you in any way, thus, this likely means nothing for you.

The apps are detecting if they were installed via the play store so I don’t think what Aurora is doing would change that.

I don’t see how that would work, considering that Aurora acts in an extremely similar manner to the Play Store.

The way I have understood it, the API will let the app to perform a series of checks on the device.

For example, it will check if Google Play Protect is enabled on the device or not. On a degoogled custom rom, this would fail and consequently the user wouldn’t be able to install/update the application.

That is at least how I have understood this.

Because Google added APIs to make it work and enforce it. The Play Store knows what you have installed via the store.

I don’t think it is blocking installation. I think the apps are checking and then refusing to run. That seems worse and quite a bit harder to circumvent.

1 Like

If that is the case, then it’s worse than I thought.

This would force me to use a Google only phone only for a couple of apps that are a must for me.
That’s horrific :sweat_smile:

1 Like

Yeah - this isn’t “google are blocking sideloading” so much as it’s “developers can now opt to not allow their apps to be sideloaded”, which is a completely different proposition in the wider view.

Ultimately it boils down to if the developer of the app you used would rather restrict their app to only being available usefully from the play store or not - they are the people you need to engage with, not google.

2 Likes

Okay. How could the API know that I’ve downloaded and installed something through Aurora if Aurora’s anonymous accounts are actually just real accounts to Google services, connecting to Google’s servers, downloading the APK and then running it on the device? Unless some black magic happened, I don’t see how the API could notice anything different than what the Play Store already does itself. Perhaps the API would know that apps were downloaded through the official client or through a third-party client.

I am no Android developer, but it would be trivially simple - sign the APK with a license tied to the account that downloaded it from the play store.

Check if that license matches the account that’s on the device trying to run the app - no match, no run.

Unless Aurora also provisions your device with the credentials for the ‘anonymous’ account its using rather than just passing along the raw APK it would be very easy.

1 Like

It doesn’t know that you “downloaded it via Aurora”. It only knows “It wasn’t installed via the Play Store” which is all that matters.

The API can simply ask, “Was this installed via the Play Store?”. Since the Play Store is tracking everything you do through it, this is straightforward.

4 Likes

The API could just check for the IMEI/MEID, IMSI, SIM, and build serial against its play store data base to see if those were downloaded / installed under permissive actions.

1 Like

To be honest a dumb phone is good enough for me. Just along its not smarter than the user. :laughing:

2 Likes