Google Adding DRM to All Apps on the Play Store

[da_knug]

SOURCE: https://android-developers.googleblog.com/2018/06/google-play-security-metadata-and.html?m=1

 

Google just announced that they'd start to ad a special string of metadata to all apps on the Play store. 

 

This is not all bad news, Google is reportedly doing this so make offline peer-to-peer distribution safer as as APK's not containing this DRM will not run. 

 

This could potentially also make pirating APK's safer as you wouldn't be able to install potential viruses. 

 

Although there's nothing saying that Google can't turn around and abuse this on a later date.

 

EDIT:

 

This is what Google themselves say about why they're adding this:

 

"One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity."

[CerberusFlame99]

so... how will this work for apps that cant get onto the play store? (Niche apps, adult apps, apps still under development, etc)

[Master Disaster]

 

A mod will move/delete this unless you fix it

[Trixanity]

14 minutes ago, CerberusFlame99 said:

so... how will this work for apps that cant get onto the play store? (Niche apps, adult apps, apps still under development, etc)

No change. This should be for Play Store apps only and Play Store apps distributed through other channels. I think a developer that has an app on the store could even make a separate APK without the DRM to distribute elsewhere. Currently, APKs with no Store affiliation don't get added to your library anyway.

[CerberusFlame99]

2 minutes ago, Trixanity said:

No change. This should be for Play Store apps only and Play Store apps distributed through other channels. I think a developer that has an app on the store could even make a separate APK without the DRM to distribute elsewhere. Currently, APKs with no Store affiliation don't get added to your library anyway.

Im guessing I just read this wrong then? (sorry Im pretty sleep deprived) But it seemed to me like he was saying that if it didnt have the DRM, It wont run on the Android operating system...

Quote

This is not all bad news, Google is reportedly doing this so make offline peer-to-peer distribution safer as as APK's not containing this DRM will not run. 

 

[Trixanity]

1 minute ago, CerberusFlame99 said:

Im guessing I just read this wrong then? (sorry Im pretty sleep deprived) But it seemed to me like he was saying that if it didnt have the DRM, It wont run on the Android operating system...

 

The source says no such thing though so I think that's an interpretation. I'd imagine XDA would be up in arms if APKs were killed as it'd be a huge blow to the developer community.

 

I think what will happen is that you'll be able to tell if an app is Play Store approved and that it authenticates the app as legit and unchanged. So if you snatch an APK and try to redistribute it either as is or if modified, it'll refuse to run unless approved with the correct metadata string.

 

[da_knug]

23 minutes ago, Master Disaster said:

 

A mod will move/delete this unless you fix it

Added a quote for the original article if that was what you was talking about. 

[CerberusFlame99]

1 minute ago, Trixanity said:

The source says no such thing though so I think that's an interpretation. I'd imagine XDA would be up in arms if APKs were killed as it'd be a huge blow to the developer community.

 

I think what will happen is that you'll be able to tell if an app is Play Store approved and that it authenticates the app as legit and unchanged. So if you snatch an APK and try to redistribute it either as is or if modified, it'll refuse to run unless approved with the correct metadata string.

 

Hmm. I see what youre saying but I wonder how they would make this work... Im sure there will just be cracked apps where the DRM is removed just like we do for PC programs and games...

[Trixanity]

1 minute ago, CerberusFlame99 said:

Hmm. I see what youre saying but I wonder how they would make this work... Im sure there will just be cracked apps where the DRM is removed just like we do for PC programs and games...

Yeah, I imagine you can you strip the DRM but then it'll just be like any other APK outside of the Store. This move means you can distribute your app through P2P and when you install it, it'll be added to your library and updated through the store like any other store app. With regular APKs, you'd need to update through a new APK or some other custom method.

This is basically a seal of approval that this app came from the Play Store and can therefore integrate with that and whatever that entails. 

This is a way to distribute Play Store apps through other sources and verifying their authenticity. It should not affect current or future APKs like those you'll find circumventing the Store for various reasons.

[CerberusFlame99]

2 minutes ago, Trixanity said:

Yeah, I imagine you can you strip the DRM but then it'll just be like any other APK outside of the Store. This move means you can distribute your app through P2P and when you install it, it'll be added to your library and updated through the store like any other store app. With regular APKs, you'd need to update through a new APK or some other custom method.

This is basically a seal of approval that this app came from the Play Store and can therefore integrate with that and whatever that entails. 

This is a way to distribute Play Store apps through other sources and verifying their authenticity. It should not affect current or future APKs like those you'll find circumventing the Store for various reasons.

Oh okay. so basically it just means that that version of the app has been verified to be unmodified. basically its just a retail version of the app?

[Trixanity]

4 minutes ago, CerberusFlame99 said:

Oh okay. so basically it just means that that version of the app has been verified to be unmodified. basically its just a retail version of the app?

Sure, I guess. It's kinda like buying a Steam key elsewhere and adding it to Steam I'd say. Not entirely the same but I think the analogy is sound.

You can still get pirated apps elsewhere or get cracked versions elsewhere. In this case, you still have access to the DRM-free GOG store if you want but Steam is the primary platform and you can now get Steam products elsewhere too. That's the gist of what's happening from what I can tell.

[Sauron]

For fans of their gnu/freedumbs like myself:

 

https://f-droid.org/

 

either way this doesn't seem to be a big issue - yet.

7 minutes ago, huilun02 said:

Magisk systemless apps

Ohhh... that looks interesting

[asus killer]

1 hour ago, Aiedail said:

offline peer-to-peer distribution

isn't this like a contradiction? how do you do P2P offline

[Sniperfox47]

4 minutes ago, asus killer said:

isn't this like a contradiction? how do you do P2P offline

You come to my house and use wifi or Bluetooth to transfer the apk to my phone.

 

It's common on devices in places like India and Africa where high quality internet can be challenging.

[Arika]

I think google just needs to better moderate their play store. the amount of fake apps and blatant ripoffs is insane.

 

for example of just PUBG on just the first like 4 rows

• Unknown Battle round Royale
• Battlelands Royale
• Grand Battle Royale: Pixel FPS (pixel in this case, meaning basically Minecraft graphics)
• PIXEL'S UNKNOWN BATTLE GROUND (almost identical to the above)
• Battle Royale Craft (almost identical to the 2 above)
• Royale Battle 2018 Survival

 

and theres another billion for fortnight

[Trixanity]

3 minutes ago, asus killer said:

isn't this like a contradiction? how do you do P2P offline

That's another interpretation by OP.

The source says this

Quote

One of the reasons we're doing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity.

 

In the future, for apps obtained through Play-approved distribution channels, we'll be able to determine app authenticity while a device is offline, add those shared apps to a user's Play Library, and manage app updates when the device comes back online. This will give people more confidence when using Play-approved peer-to-peer sharing apps.

 

This also benefits you as a developer as it provides a Play-authorized offline distribution channel and, since the peer-to-peer shared app is added to your user's Play library, your app will now be eligible for app updates from Play.

I honestly don't know how P2P would benefit anyone's data plan. With large files it would allow you to stop and resume so you can get the files over several sessions but since I assume most plans are monthly: how many would download an app over several months to avoid fees or throttling unless there is a daily limit on the network?

 

The offline aspect sounds like one person could download it and share it with friends locally and they'd get full Play Store support. You could also have a LAN/network that distributes apps that doesn't always have the best internet connectivity and still use P2P technology to distribute apps.

 

I feel like I'm grasping at straws to justify the necessity though.

[Sniperfox47]

1 minute ago, Trixanity said:

That's another interpretation by OP.

The source says this

I honestly don't know how P2P would benefit anyone's data plan. With large files it would allow you to stop and resume so you can get the files over several sessions but since I assume most plans are monthly: how many would download an app over several months to avoid fees or throttling unless there is a daily limit on the network?

 

The offline aspect sounds like one person could download it and share it with friends locally and they'd get full Play Store support. You could also have a LAN/network that distributes apps that doesn't always have the best internet connectivity and still use P2P technology to distribute apps.

 

I feel like I'm grasping at straws to justify the necessity though.

No you had it precisely right. That's how a low of app distrobution in developing countries is handled. Handsets have software built in to let you directly share software with your friends, rather than going through official distribution methods, over lan. There are also sometimes "distribution centers" where you can go and they just have a big collection of apps to download/update over WiFi.

 

I also just want to point out for everyone that if you're worried about intrusive DRM this is not that in any way. This is DRM that works pretty much opposite how most DRM you'd think of works.

 

As far as intrusive DRM for paid apps, Google Play has had that for like forever. It's the "validating lisence" you see when starting some apps. It just mostly goes unnoticed because it usually "just works", is fairly out of sight, and relatively unintrusive.

[asus killer]

stop saying DRM, this is at all not like DRM as i understood it.

DRM is digital rights management or something like that, this is nothing like that as it appears to have nothing to do with copyrights. It's just some code that the android OS checks for even off-line.

 

still couldn't someone inject the virus and leave the code in there? does it check for file size? i guess we will probably have more information later by hackers 

[Trixanity]

3 minutes ago, asus killer said:

stop saying DRM, this is at all not like DRM as i understood it.

DRM is digital rights management or something like that, this is nothing like that as it appears to have nothing to do with copyrights. It's just some code that the android OS checks for even off-line.

 

still couldn't someone inject the virus and leave the code in there? does it check for file size? i guess we will probably have more information later by hackers 

Yeah, I don't think it actually blocks anything as the OP implies it does. I think at best it'll throw a warning if the metadata doesn't match (I may be wrong) or maybe you can force-install it anyway.

 

I think all Play Store apps has checksum verification when downloading. APKs obviously don't. This initiative adds data to verify Play Store apps that aren't downloaded on the Play Store. This doesn't prevent malware directly but there are a lot of measures on the Play Store to secure and verify apps but there's obviously ways to upload crap to the store anyway. So I don't think is is a security/piracy prevention program in any form. It's just to give developers alternative distribution methods to give them more opportunities to increase the size of their audience.

[Sniperfox47]

2 hours ago, Pangea2017 said:

Could it be that this only will affect app with min API level 24 (android 7.0) and above?

They want to add the data to the apk signing block which was introduced with android 7.

It'll work only with devices on Android 7+, but should work regardless of app version. Keep in mind that the APK you upload to Google Play and the APK users receive nowadays are slightly different. They do some further optimizations on their end, add in extra metadata, and with App Bundles or Instant Apps even chop up your app and distribute it in little bits.

 

3 hours ago, asus killer said:

stop saying DRM, this is at all not like DRM as i understood it.

DRM is digital rights management or something like that, this is nothing like that as it appears to have nothing to do with copyrights. It's just some code that the android OS checks for even off-line.

 

still couldn't someone inject the virus and leave the code in there? does it check for file size? i guess we will probably have more information later by hackers 

It's not checking filesize, but rather a checksum of the contents. Even if you made a new file with the same size, but different content, the checksum wouldn't match and it would fail to verify.

[Drak3]

3 hours ago, asus killer said:

stop saying DRM, this is at all not like DRM as i understood it.

It's DRM. Not the typical style of DRM, but DRM none the less.

4 hours ago, asus killer said:

how do you do P2P offline

Sneakernet.

[TroubleKlef]

I think Google if finally realizing that in order to have any semblance of quality control you need to have some control and lock things down.

[PlayStation 2]

Metadata =/= DRM

Pretty damn dishonest to call it that, to be honest.

[TroubleKlef]

5 minutes ago, Dan Castellaneta said:

Metadata =/= DRM

Pretty damn dishonest to call it that, to be honest.

Eh, essentially what I'm reading is that without the extra pieces of proprietary code, your app will not run. Isn't that essentially DRM?

[Drak3]

1 hour ago, Dan Castellaneta said:

Metadata =/= DRM

Pretty damn dishonest to call it that, to be honest.

Metadata can be used as DRM. The point of this metadata is to whitelist validated apps as play store certified and unmodified. Not having this metadata in .APKs on the store, moving forward, would deny them the ability to run.

 

It's DRM to counter malware.