Add Google Play "security metadata" without publishing an app

Question

Recently Google has introduced security metadata that is added to every app uploaded into Google Play. We used to have a tampering protection that's calculating the app's signature (hash) in runtime and check if it's equal to hash that was calculated during the release. This worked fine for years, but now the GP is modifying the app's binary by adding the security metadata.

• Is there a way to disable GP security metadata at all?
• Is there a way to check (download) modified APK from the store without publishing it? It seems that apps in beta channels are not modified so this solution doesn't work.

Answer 1

• There is no way to disable the Google Play security metadata.
• You can't get it without publishing an app
• APKs in alpha and beta channels are modified (or should be) but only if they were uploaded after the start date of the program (2018-06-19 12:00 UTC). However, the APK will have different metadata when it is in Beta to when it is in production.
• Hashing solutions will continue to work, but not ones which hash the whole file. Alternatives you could consider include hashing the zip entries, or hashing the classes.dex files. These methods work successfully for other developers.

Another option which works if you occasionally have online access (which I assume you do if you are checking a hash) is to use the SafetyNet attestation API to check your app, and verify the signature offline on the server. Again, many big name developers use this successfully.

Answer 2

Not directly answering your questions, sorry, but posting anyway in case that helps you or anyone else in the same case: instead of checking the hash, have you considered verifying the signature of the APK? Apksig is an open source library and would allow you to achieve a similar result in a more robust way.