Some apps now refuse working if not installed by Play Store

Viewpoint0232

https://www.androidauthority.com/play-integrity-sideloading-detection-3480639/

In short: apps can now check if they were installed by Play Store and refuse to run if not. This seems to also detect if the app was installed by the Aurora Store and refuse to run: https://forum.fairphone.com/t/cannot-install-the-new-tesco-clubcard-app-fp4/93824/10

Similar to the the Play Integrity problem, this is something the app developer chooses to enable. But it will be a problem for GrapheneOS and other AOSP-based systems when more developers will check for this. In the linked example above, it's the Tesco Clubcard app which by all means is not a security-sensitive app.

Are there any known workarounds for this? Will GrapheneOS consider a feature that would allow the user to spoof the installation source, at least for the Aurora Store (which after all is pulling the app from the Play Store)?

I am aware that I can just give in and install the Play Store and create a Google account (giving them my phone number in the process), but I'd rather not. I'm quite happy installing my apps without a Google account, through a combination of F-Droid, Aurora and Obtainium.

angela

Viewpoint0232 Since Play Integrity API has to allow Apps to run offline, there should be some way this could be spoofed with virtualization or just having a background proceas immediately respond to the query with something that will allow the App to run.

How does Play Integrity query if the App has been properly installed the "good" way? Does it send certain identifiers to a server and then use that information to get a public integrity key? If that's all it does, then there could be a central database of identifiers and public key responses kept by rooted or GOS users and if the user can just query the database and spoof the identifiers to get the App to run. Would it be that "easy" or are some of the identifiers not spoofable? An App using Play Integrity has to somehow check with Google Play to see if it's been approved. Can a similar App with a similar name that's not actually Google Play be created to interxept these requests or would there be a cryptographic challenge in implementing that?

also (explitive) google's integrity play api

Oggyo

Viewpoint0232 apps can now check if they were installed by Play Store

Yeah, this has been by design for a long time, and not just recently happened.

As a workaround, I use another profile with Google Play Store and a logged-in (throwaway) account to update the affected apps, which I mainly use in my primary profile initially installed apps by Aurora.

Now I'm facing another challenge for at least one app that even requires me to be logged into Play Store. I guess this is the vendor's response to the (possible) installation source spoofing. Maybe the idea behind it is if I'm not signed in to Play Store - then I didn't install their app from Play Store. 🙄
So, the spoofing or the workaround above will not help me in this particular case.

PaulDavis

What benefit is it to the developer to know whether or not it came from the Play store, and to enforce the matter? Or is it the point that the free apps, such as Club card, collaborate with the google database so as to obtain more information?
Could an app like Lucky Patcher rebuild or nullify this intrusive act?

DeletedUser131

You could use obtanium to install the app. When adding the app to obtanium you have the option to "set Google Play as the installation source".

Dumdum

DeletedUser131 set Google Play as the installation source".

Only if you have Shizuku installed.

DeletedUser131

Dumdum

Dumdum Only if you have Shizuku installed.

Oh my bad, I missed that part.