Support for verifying Google Play security metadata

[kasia-de]

https://android-developers.googleblog.com/2018/06/google-play-security-metadata-and.html

Request:

Could AppVerifier verify Google Play security metadata?

Rationale:

AppVerifier verifying the Google Play security metadata will allow people to use untrusted sources where APKs are redistributed, such as apkmirror.com and others, while ensuring the integrity and root of trust of obtained applications.

Google Play security metadata is verified offline by the Google Play Store Android application, and the metadata is kept intact when transferring the apks, or backing them up from a device. It is written by on the Android Developers Blog, that the "metadata addition" is "inserted into the APK Signing Block."

Time cost:

It seems to me that this could be possiible, potentially requiring at most some reverse engineering of the Google Play Store application, or analysis of the signing blocks of APKs served by the Google Play Store.

[soupslurpr]

https://android.googlesource.com/platform/frameworks/base/+/master/core/java/android/util/apk/SourceStampVerifier.java

[qdrop17]

I would greatly appreciate that feature - that we can at least be sure to have the same APKs like Google Play distributes (without having to share all of our data with Google).