If you’re using a custom version of Android that doesn’t include the Google Play Store, you’ll need to sideload Android apps or manually install APK packages. Alternatively, the app may be experimental, in development, or no longer maintained or provided by its developer. Until now, the existence of sideloadable APKs on the web seemed to be tolerated, though warned about by Google.
This quiet stagnation is being shaken up by new features in the Google Play Integrity API. Android Authority reports that developer tools that push “repair” dialogs during sideloading, which debuted at Google’s I/O conference in May, are starting to appear on users’ phones. Sideloaders for apps from UK store Tesco, fandom app BeyBlade X, and ChatGPT are reporting the unavoidable “Get this app from Play” prompt. Users of Android gaming handhelds encountered a similarly worded prompt for Diablo Immortal on their devices three months ago.
Google’s Play Integrity API is how apps block access if loaded onto a phone that has been modified in any way from a standard OS with all of the Google Play integration features. Recently, there was a popular two-factor authentication app that blocked access to rooted phones that included the security-focused GrapheneOS. Apps call the Play Integrity API to return an “integrity verdict,” telling them whether the phone has a “trusted” software environment, has Google Play Protect enabled, or has passed other software checks.
Graphene questions the reliability of Google’s Integrity API and SafetyNet Attestation systems, recommending standard Android hardware attestation instead. Rahman points out that apps don’t need to take an all-or-nothing approach to integrity checking: instead of blocking installation entirely, apps can call the API only when sensitive actions are performed and warn there. However, not connecting to the Play Store means that metrics are unavailable to developers, they may be installed on incompatible devices (resulting in bad reviews), and of course, they may lead to piracy of paid apps.
Block “unknown distribution channels”
Google’s developer video on “Automatic Integrity Protection” (at 12:24 on YouTube) explains that “selected” apps have access to automatic protection, which adds automated checking tools to apps and provides “the strongest version of Google Play’s anti-tamper protection.” A slide from the presentation states that “if users acquire a protected app from an unknown distribution channel, they will be prompted to get it from Google Play,” and that it is available to “select Play partners.”
Last year, Google introduced malware scanning for sideloaded apps upon installation. Google and Apple have opposed bills that would expand sideloading rights for smartphone owners, citing security and reliability concerns. European regulators earlier this year forced Apple to allow sideloading apps and app stores, albeit with fees and geographic restrictions.