Earlier this month, Google announced that it would start adding metadata to applications downloaded from the Play Store. The metadata serves as proof that an APK originated from the Play Store, allowing devices to verify that the app hasn't been tampered with. However, there is a growing misconception that this is a form of DRM (Digital Rights Management), which simply isn't true.

In many parts of the world, technology is advancing faster than the infrastructure that supports it. This is especially evident in countries like India, where smartphones are most people's primary computer, but cellular networks often can't keep up with the demand. Google has introduced several apps and products specifically for India and other developing nations to address these problems.

One example is YouTube Go, which not only uses less data than the standard YouTube app, but it also allows users to transfer videos to someone else over a local connection. This benefits everyone - YouTube gains more viewers, and users don't have to use more cellular data (which is often capped and/or expensive in developing countries) than necessary.

Back in February, it looked like Google wanted to bring that same logic to the Play Store. An APK teardown revealed evidence of a "Google Play Peer To Peer App Install API," which would (presumably) allow apps to be transferred locally from one device to another. Of course, it has long been possible to transfer Android apps to another device. APKs can be easily extracted using a number of third-party apps (ML Manager is one example), and from there, you can easily send it to any application/service that supports file transfers. If an internet connection isn't readily available, Bluetooth or Wi-Fi direct will still work.

Your phone can't tell if an app is legitimate or not.

There's one major catch to installing applications from outside the Play Store—there's no way for a device to tell if the app is legitimate or not. It could have been injected with tracking code, or a cryptocurrency miner, or full-screen ads, and your phone would have no way of knowing.

Since day one, Android has only had one method of verifying if an app is legitimate - the signature. When a developer compiles an Android app, it is 'signed' with an encrypted key. However, the signature can't be used as a method of validation, unless you have something to compare it to. Think of a normal written signature. If you see just one signature for "Tim Cook," you have no way of knowing if that is Tim Cook's actual signature. But if you have a signature for Tim Cook and a scan of Tim Cook's signature from Wikipedia, you can tell if the first signature is legitimate or not.

In a similar manner, your Android device can only use the signature when installing app updates. If the update matches the signature of the original app, it can be installed. The signature breaks if the app is tampered with in any way (for example, if someone injects malware into an APK for Facebook), but apps can be re-signed. The re-signed apps won't be updated through the Play Store, because the signature won't match the real app, but it's enough for the initial installation.

Google's solution to this problem is to add metadata to applications downloaded from the Play Store, so Android devices can tell from the start if the app matches the version found on the Play Store. Here's how the company explains it:

In the future, for apps obtained through Play-approved distribution channels, we'll be able to determine app authenticity while a device is offline, add those shared apps to a user's Play Library, and manage app updates when the device comes back online. This will give people more confidence when using Play-approved peer-to-peer sharing apps. This also benefits you as a developer as it provides a Play-authorized offline distribution channel and, since the peer-to-peer shared app is added to your user's Play library, your app will now be eligible for app updates from Play.

In summary, users can be sure the apps they are receiving haven't been tampered with, and app developers might see a boost in installations (since transferring files over a local connection doesn't incur any charges). This won't solve the issue of malicious apps with altered package names, but there's not really anything that could be done to address that.

Shortly after Google's announcement several media outlets started incorrectly labelling the Play Store metadata as a form of Digital Rights Management. DRM is a nasty word, one that might bring up memories of music files locked to iTunes or online games that continuously require an internet connection to verify ownership.

The Play Store metadata is a second layer of verification, not DRM.

DRM's primary purpose is to restrict the use of an application, game, movie, or some other proprietary/copyrighted work. The Play Store metadata that Google is adding to APKs does not restrict the user in any way—it only serves as a second layer of verification on top of the existing APK signature.

Some outlets have presented the idea that future versions of Android may block apps without the metadata from being installed, which would make the Play Store comparable to Apple's "walled garden." There is no evidence whatsoever that this is true. Google has been heavily investing in Play Protect, which is primarily designed to scan sideloaded apps for malware. While the company would obviously prefer you download everything from the Play Store, it's also doing everything it can to make applications from unknown sources as safe as possible.

In summary, the metadata Google is adding to applications from the Play Store is definitely not DRM. It doesn't restrict users in the way that DRM does, and there's no evidence that future versions of Android will block apps without it. It could theoretically be used as the starting point for DRM, but as-is, it's just a verification method. You're more than welcome to keep installing pirated apps from a sketchy Russian website.