Apps can now block sideloading more easily and force downloads through Google Play

2 months ago 19
A photo of a phone with the Play Integrity get licensed remediation dialog showing

Mishaal Rahman / Android Authority

TL;DR

  • The Google Play Integrity API lets apps check whether your account is “unlicensed,” meaning you didn’t install or buy the app from Google Play.
  • More importantly, the app can then show a remediation dialog that tells you they have to download the app from Google Play to continue using it.
  • This remediation feature was introduced back in May during Google I/O and is already being used by some games to block sideloading.

There are many reasons why you may want to sideload apps on your Android phone, but there are also good reasons why developers would want to block sideloading. A sideloaded app won’t contribute to the developer’s Play Store metrics, for one, but it also prevents the developer from curating which devices can use their app. Improperly sideloaded apps can also crash due to missing assets or code, or they might be missing certain features because you installed the wrong version for your device. Whatever the reason may be, developers who want to stop you from sideloading their apps now have an easier way to do so thanks to the Play Integrity API.

The Google Play Integrity API is an interface that helps developers “check that interactions and server requests are coming from [their] genuine app binary running on a genuine Android device.” It looks for evidence that the app has been tampered with, that the app is running in an “untrustworthy” software environment, that the device has Google Play Protect enabled, and more. If you’ve heard of or dealt with SafetyNet Attestation before on a rooted phone, then you’re probably already familiar with Play Integrity, even if not by that name. Play Integrity is the successor to SafetyNet Attestation, only it comes with even more features for developers.

As is the case with SafetyNet Attestation, developers call the Play Integrity API at any point in their app, receive what’s called an integrity verdict, and then decide what they want to do from there. Some apps call the Play Integrity API when they launch and block access entirely depending on what the verdict is, while others only call the API when you’re about to perform a sensitive action, so they can warn you that you shouldn’t proceed. The Play Integrity API makes it easy for apps to offload the determination of whether the device and its software environment are “genuine,” and with the latest update to the API, apps can now easily determine whether the person who installed them is “genuine” as well.

During its Google I/O developer conference back in May, Google introduced the ability to apps to show certain “remediation” dialogs when there’s an issue with an integrity verdict. For example, when the appLicensingVerdict returns “UNLICENSED” in the integrity verdict, it means that the current user account is unlicensed, i.e. you didn’t install or buy the app from the Google Play Store. In response to this, developers can use the Play Integrity API to show the GET_LICENSED remediation dialog to prompt you to get their app from the Play Store. If you accept, your account becomes licensed (ie. the next time appLicensingVerdict will return “LICENSED” in the integrity verdict), the app is added to your Play Store library, and the app will receive future updates through the Play Store.

Here’s a demo of the Play Integrity API’s new GET_LICENSED remediation dialog, courtesy of an open source app made by developer linuxct to demonstrate the new functionality:

Play Integrity Get Licensed remediation demo

Mishaal Rahman / Android Authority

As you can see, the remediation dialog tells you to “get this app from Play” in order to continue using it. There’s an option to close the dialog, but there’s no way to bypass it entirely. If you close the dialog, a response is sent to the app that lets the developer know so they can decide whether to continue blocking access.

If you proceed by tapping “get app,” the app’s Play Store landing page is opened where an “install from Play” button is shown in place of the usual “install” button. Tapping the button shows a dialog that asks you whether you want to “install this app from Play.” By proceeding, the “unrecognized” version of the app will be removed along with any associated data.

Developers had other means to detect if their apps were sideloaded before this feature was introduced in the Play Integrity API, but this change makes it easier for developers to implement this kind of check. We don’t know if any apps are using this particular feature yet, but it’s highly likely some games will jump on board with it. The Tesco and BeyBlade X apps both seem to be using this feature already, while the popular game Diablo Immortal seems to be using something similar to this feature.

As Google continues to bolster Play Integrity’s detection mechanisms and add new features, it’s going to become harder and harder for power users to justify rooting Android. At the same time, regular users will be better protected from potentially risky and fraudulent interactions, so it’s clear that Play Integrity will continue to be adopted by more and more apps. It’s already used by numerous popular apps on Google Play, including Stripe, Uber, and TikTok, and we’re likely to see more adopt it as time goes on.

Got a tip? Talk to us! Email our staff at [email protected]. You can stay anonymous or get credit for the info, it's your choice.

Read Entire Article