(Cryptographically) sign me up! Android to take bad app checks offline


Google says Android will no longer require an internet connection to check whether applications are legit or potentially malicious.

From now on, the Play Store will embed metadata into apps’ APKs that will be used to check whether or not the software is authentic, and confirm whether it came through the official Google souk or another Google-approved market.

Android will be able to verify that metadata – it’s essentially cryptographic signatures – even when offline. Signed legit apps that may not have been downloaded from the Play store, and may have been fetched from bandwidth-saving local peer-to-peer networks, will still be able to get updates and security fixes from the official store, once an outside connection is established, which is a nice side benefit Google is pitching to Android developers.

The Chocolate Factory said the move was made with an eye on the peer-to-peer networking space, where users in developing countries and rural areas often turn to get software when internet access can be hard to come by.

Being able to verify software offline means people who get apps from P2P connections will be able to instantly make sure the app has not been infected with malware or otherwise tampered with, rather than wait for a connection to the Play store.

“One of the reasons we’re doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity,” explainedPlay product manager James Bender on Tuesday.

“In the future, for apps obtained through Play-approved distribution channels, we’ll be able to determine app authenticity while a device is offline, add those shared apps to a user’s Play Library, and manage app updates when the device comes back online.”

To implement the new checking system, Google said it will slightly raise the size limit on APKs. This will allow the Play Store to add the security metadata into apps without requiring developers to repackage them. Developers will not need to take any actions, as the metadata will be injected into apps automatically via the Play store.