The Google Play Store is one of the most important apps on your device (presuming you run Google's Android), second only perhaps to Google Play Services. The Play Store forms the primary means of app distribution for most developers and the primary means of app discovery and maintenance for the average user. But primary does not mean exclusive, and both developers and users certainly have other mediums for distributing and downloading new apps. However, these mediums may pose a potential security risk to the end-user. Google is now preparing to have the Play Store warn you about apps that can install unknown apps in order to keep users informed, as well as testing an Incognito Mode setting.

An APK teardown can often predict features that may arrive in a future update of an application, but it is possible that any of the features we mention here may not make it in a future release. This is because these features are currently unimplemented in the live build and may be pulled at any time by the developers in a future build.


Incognito Mode

Google is refocusing on privacy and giving users control back over their data. More and more Google apps are receiving an Incognito Mode option to let users opt-out from having their data collected for that session.

Google Play Store v17.0.11 contains new strings that indicate that the app will soon get its own Incognito Mode:

        <string name=<span >"</span>og_turn_on_incognito_mode<span >"</span>>Turn on Incognito mode</string>
<string name=<span >"</span>og_turn_off_incognito_mode<span >"</span>>Turn off Incognito mode</string>

We expect Google to announce the rollout of this feature soon.


Warnings for active "Install Unknown Apps" permission

In Android 9 Pie, Google removed the universal toggle that allowed the installation of apps from outside of the Google Play Store, or "unknown apps" as they are called. Instead, users now have to grant a permission to every app that tries to queue an APK for installation when such APK does not originate from the Play Store. For example, Fortnite is available on Android but is not distributed through the Play Store for financial reasons. Users need to download the Fortnite Installer from Epic Games' website and then grant Chrome (or their browser of choice) the permission to sideload the Installer APK in order to queue the installation. Once you are done installing the Fortnite Installer, the installer recommends you revoke the permission from the browser in order to keep this gate closed and prevent silent misuse.

The Google Play Store is likely building upon this concept, reminding users to revoke the sideloading permission from other apps to prevent apps from silently and maliciously misusing the same.

        <string name="protect_app_installation_permissions_page_body_none">You have no apps that can install unknown apps</string>
<string name="protect_app_installation_permissions_page_deny_all_button">Deny all</string>
<string name="protect_app_installation_permissions_page_deny_button">Deny</string>
<string name="protect_home_review_installation_permissions_body_o_plus">Some apps on this device can install unknown apps, which could put your device and personal information at risk</string>
<string name="protect_home_review_installation_permissions_button_plural">Review apps</string>
<string name="protect_home_review_installation_permissions_button_single">Review app</string>
<string name="protect_home_review_installation_permissions_title">Review app installation permissions</string>
<string name="protect_home_turn_off_unknown_sources_body">Unknown apps could put your device at risk. To prevent this, go to Security settings and turn off installations from \"Unknown sources\".</string>
<string name="protect_home_turn_off_unknown_sources_button">Go to Security settings</string>
<string name="protect_home_turn_off_unknown_sources_title">Turn off app installations from unknown sources</string>
<string name="protect_play_notification_review_installation_permissions_body">Some apps on this device can install unknown apps, which could put your device and personal information at risk</string>
<string name="protect_play_notification_review_installation_permissions_button">Review apps</string>
<string name="protect_play_notification_review_installation_permissions_title">Review app installation permissions</string>
<string name="protect_settings_app_installation_permissions_body">Review apps that can install unknown apps</string>
<string name="protect_settings_app_installation_permissions_section_title">Permissions</string>
<string name="protect_settings_app_installation_permissions_title">App installation permissions</string>

The Play Store is preparing to remind users to review the app installation permissions granted to other apps. We do not believe that this is intended to be a crackdown on sideloading apps on Android. Instead, this is very likely an attempt to close down a potential attack vector. Most users grant this permission and never bother to revoke it once their goals are achieved, which leaves the door open for potential misuse. Hopefully, Google's reminders are not very aggressive to be a constant annoyance for those who regularly monitor their sideloading activities.


Thanks to PNF Software for providing us a license to use JEB Decompiler, a professional-grade reverse engineering tool for Android applications.