Android 14 introduced the ability for application stores to claim ownership over application updates, to ensure other installation sources won’t accidentally update applications they shouldn’t. What is still lacking, however, is for users to easily change the update ownership for applications. In other words, say you install an application by downloading an APK from GitHub, and later the application makes its way to F-Droid, you’ll get warning popups when F-Droid tries to update that application.
That’s about to change, it seems, as Android Authority discovered that the Play Store application seems to be getting a new feature where it can take ownership of an application’s updates.
A new flag spotted in the latest Google Play Store release suggests that users may see the option to install updates for apps downloaded from a different source. As you can see in the attached screenshots, the Play Store will show available updates for apps downloaded from different sources. On the app listing, you’ll also see a new “Update from Play” button that will switch the update ownership from the original source to the Play Store.
↫ Pranob Mehrotra at Android Authority
Assuming this functionality is just an API other application stores can also tap into, this will be a great addition to Android for power users who use multiple application stores and want to properly manage which store updates what applications. It’s not something most people will ever really use or need, but if you’re the kind of person who does need it – it’ll become indispensable.
Anybody have confirmation this works in the other direction? Maybe google are just giving themselves the privilege.
Traditionally any special privileges for app stores were only available to preinstalled apps in the rom, so I suspect something similar will apply here – Samsung etc will be able to do it, or if you run a custom image, otherwise probably not.
It still will be the case.
The reason it’s
warningerroring-out is because F-Droid builds fresh new apks, thus needing their own signature. Thus the trust chain is entirely different.In fact, you already can (or could?) update an apk installed from another source from another source, as long as the signatures match.
And what does this mean for the apps that I bought and are in t he play store but I sideload becuase google decided some of the permissions required to make then work were not for such apps?
WIll it take over and install the non working version? (Hopefuilly they have differnet IDs.
Currently you have to use a Google account to download apps from the Play Store. If this works without account, it’s actually quite neat. You could do the initial install from wherever (Github, APK from website, Aurora Store) and then get background updates from the Play Store without needing to connect your whole phone to a Google account.
As someone else already mentioned, F-Droid versions of the apps won’t be compatible because they build the apps themselves and sign it with their own signature.
> Currently you have to use a Google account to download apps from the Play Store
Actually Aurora store allows to install from Play Store without Google account.
jemmjemm,
Theoretically the Aurora store would be extremely useful for lineageOS phones like mine that don’t want google services (we don’t want google tracking us). But in practice the Aurora store basically never works for me. If you have a google account I believe the aurora store can use that, but otherwise it appears to use a shared account to download apks and there’s an error almost 100% of the time. This of course is a major problem because almost all android software gets distributed exclusively through the google app store monopoly. I’m topically forced to use mirrors like apkpure. I would not recommend their installers as they are filled with adware that popup ads even when you are not using them. This is unacceptable, but then again most of their users are a captive audience who have no choice if the don’t want google services on their devices..
> But in practice the Aurora store basically never works for me.
It’s true, that Aurora store sometimes fails. For me it has been around 25% of attempts failing. But then again I’ve had to install only 5-something apps on different devices from Google Play via Aurora Store (you know, the “government and banking stuff”).
One alternative is to use a random burner Google account in Aurora Store (unique per device). If you’d not use it anywhere else, then privacy implications would be minimal.
jemmjemm,
I have a question regarding that, are you able to create a google account without a verified phone number? I wasn’t able to. If you have google services this probably gets submitted automatically, but on lineageos without google services there’s a forced verification step. Companies are insisting on a lot of personal information these days.
Or do you mean buying a burner device to create an aurora account? Isn’t it lovely that modern technology companies can make me feel like a drug dealer, haha.
I understand, it just sucks having to identify yourself to google just to install 3rd party applications. I wish I could download APKs directly from my bank without any google BS. Alas, both google and apple have convinced everyone to accept & embrace their duopoly as the only source for applications.
> I have a question regarding that, are you able to create a google account
> without a verified phone number?
My previous old testaccounts did not need phone number.
As a matter of testing the current situation, I created one now in desktop browser, and both recovery email and phone numbers were asked, but skipping them worked fine. So yes…. perfect burner account still possible – just use a laptop in some cafe to create account, load apps from Aurora store in another cafe (both outside your typical whereabouts) and it is reasonably anonymous for that matter.
jemmjemm,
Huh. Years ago that was the case for me as well, but I find it very interesting that it worked for you today. I don’t know how to bypass the phone verification…? Did I miss something?:
https://postimg.cc/zHm3V4qL
Is it possible that google have kept track of you in some other way? I am using FF with ublock and ghostery to make sure google can’t track me, and I set FF to clear my sessions every time the browser opens. Maybe google doesn’t like that? Do you have any idea why google may have let you create an account without a phone number? It makes me wonder if google has your accounts linked on their end.
Unless I figure this out, I’d still have to give up personally identifiable information to let google track me or buy a burner phone.
> I don’t know how to bypass the phone verification…? Did I miss something?:
> https://postimg.cc/zHm3V4qL
I did not get “Confirm you are not a robot” message. Just “Add your phone” and “Skip” button therein.
I see an US flag in the picture. Does it mean you were using an US IP-address? If so, then maybe it is some feature based on geography? If so, maybe VPN to Europe will solve the need to insert phone number?
jemmjemm,
Yes US. It’s possible their phone number requirement policy may be dependent on IP geolocation. as you say. One hypothesis is that GDPR prevents them from taking personally identifiable information without permission?
I tested this again using chromium, no adblocking or anything strange. Google still insisted on the phone number. Even more curious, just now I tried logging into an old account that used to work and google refuses to let me log in there as well without sending them a phone number. So it’s pretty clear to me this is the policy for US users. It’s not clear to me whether they will periodically recheck the phone number that’s provided.
Honestly I’d rather use an APK mirror than have to create a google account for aurora. But I agree If it is based on ip geolocation, then a EU VPN should bypass the phone requirement.
Anyway, thank you for testing it on your end and being informative.
They emailed me a critical security alert…
Kind of ironic that they blocked the legitimate account owner. Also as the legitimate account owner, I am unable to “check activity” without providing a phone number.
Ultimately it’s google’s prerogative to demand what it wants of users, this isn’t my issue. My issue is that almost all apps in the real world are gated by google and apple. It reeks of monopoly and antitrust issues.
One important issue is difference in applications. For example Element (a popular Matrix client) is available both in F-Droid and Play stores, but they are internally different – the first one does not use any Google libs (the Firebase stuff) and of course the other one does. And there are privacy considerations in these differences. The same applies for many apps – the best starting point to see the differences is εxodus project (https://reports.exodus-privacy.eu.org/en/).
Luckily F-Droid has different trust chain and certificates (and in many cases reproducible builds), so straightforward crossover would not be easy. But if it somehow it is achieved, then transparency for the users and ability to intervene would be very important.
jemmjemm,
I’ve seen this as well, some of the apps that are submitted to FOSS and have antifeatures and tracking removed. If there is an fdroid version, I choose it first.
Some fdroid applications like termux are being blocked by google’s app store. Termux requires legacy API to provide a linux shell because google’s newer APIs removed support for it.
https://github.com/termux-play-store
This means you have to sideload new releases of termux from another source. The future of termux is uncertain because google could update android to permanently remove the API level from all phones regardless of being side loaded.
I forgot to mention that there is a pretty new project called Obtainium (https://github.com/ImranR98/Obtainium), which aims to collect all the other (than F-Droid+Google Play) sources, where apk-files are published, both open and closed source.
Probably there is a hodge-podge of certificate chains in these apk-files, so I have no idea how it all fits in the grand scheme mentioned in the article and what may happen from the user’s point of view.
Oh… and then there is mobile device management (MDM) for organisations! Probably many sysadmins won’t be happy if their targeted selection of installed apps gets overridden by a third party.