In a bid to improve security, Google is now adding security metadata to APKs to help with app authenticity. This is especially important in areas where APKs are transferred peer-to-peer. This security metadata will help Google verify app authenticity, and manage app updates in the future. The tech giant had last year announced app security and performance changes for developers on Google Play. These changes included requiring new apps and updates to existing apps to target the most recent Android API level, compulsory 64-bit app versions by 2019, and addition of security metadata to each APK. The last bit has finally come into effect today, and allows for several benefits such as offline authenticity check, bringing apps to the users's Play Library, and more.
Moving forward, Google will now be adding security metadata on top of each APK to verify that it was officially distributed by Google Play. This change will not require any action or change from the developers or users. Instead, it will be inserted into the APK Signing Block, thus not altering the app's functionality. This metadata is expected to act as a Play badge of authenticity for the Android app.
Google notes on its blog, "One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity."
As mentioned, this move will also let Google ascertain app authenticity while a device is offline, add those shared apps to a user's Play Library, and manage app updates when the device comes back online. In addition to improving the integrity of Google Play's mobile app ecosystem, it will also give developers new distribution opportunities, and help more people keep their apps on point.