So this is how it works. Google will modify the header file of the APK and add a new metadata field that will house the app’s file signature. Until now, the metadata was not required since the Play Store app handled all the checks in the background prior to the installation. The app file signature will help the Android users in many ways. In countries like China where the Google PlayStore is banned, users can perhaps sideload the apps (not sure if the apps can be verified via Google Servers). The biggest improvisation comes in the form of security. Until now, there was no easy way of verifying an apk file source while installing from third-party sources. The chances are that some of the malicious sites bundled adware and other malware with the app. In countries like India, peer-to-peer transfer is quite popular and apps like ShareIt are often used to share apk files. With the new verification method, Android users can breathe a sigh of relief while installing apps from sources other than the Play Store. Not only that, the users will also be able to install apps when the device is offline. The apps that have been downloaded offline will be added to a verification queue. Once the Android device comes online the app will be verified with the one of the PlayStore. Previously, apps that were side-loaded couldn’t be verified and this often served as an attack vector for hackers. Google is trying to hit two birds with one stone. The new metadata header verification method will not only allow for seamless installation of Android apps via sideloading but it will also ensure that the apps downloaded from third-party sources are legit.
